Pointter PHP CMS 1.2 LFI / XSS / SQL Injection

2011.03.17
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-79

Pointter PHP Content Management System 1.2 Multiple Vulnerabilities Vendor: PangramSoft GmbH Product web page: http://www.pointter.com Affected version: 1.2 Summary: Pointter PHP Content Management System is an advanced, fast and user friendly CMS script that can be used to build simple websites or professional websites with product categorization, product blogs, member login and search modules. The webmaster can create unlimited static page boxes, static pages, main categories, sub categories and product pages. Desc: Pointter CMS suffers from multiple vulnerabilities (post-auth) including: Stored XSS, bSQLi, LFI, Cookie Manipulation, DoS. Tested on: Microsoft Windows XP Pro SP3 (en) Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic Advisory ID: ZSL-2011-5002 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php 10.03.2011 --- XSS: The stored XSS is pretty much everywhere in the admin panel, just posting the string '"><script>alert(1)</script>' when editing some category, and on every return on the main page u get annoyed. LFI: script: pointtercms/admin/functions/createcategory.php post param: category poc: category=../../../../../../../../../test.txt%00&code=0e=0 script: pointtercms/admin/functions/createpage.php post param: pageurl script: pointtercms/admin/functions/createproduct.php post param: producturl bSQLi: script: pointtercms/admin/functions/editsettings.php post param: onoff, count, boxname, tonoff, tname, monoff, mname, nonoff, nname, memonoff, memname, searchonoff, searchname, pos, tpos, mpos, npos, mempos, mail. poc: onoff=1'+and+sleep(10)%23&pos=0 - Response size: 0 bytes, Duration: 10016 ms

References:

http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5002.php


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2022, cxsecurity.com

 

Back to Top