Dalogin 2.2 Cross Site Scripting / File Disclosure / SQL Injection

2011-11-08 / 2011-11-09

Credit: hc0

Risk: High

Local: No

Remote: Yes

CVE: CVE-2010-5012

CWE: CWE-89

CVSS Base Score: 7.5/10

Impact Subscore: 6.4/10

Exploitability Subscore: 10/10

Exploit range: Remote

Attack complexity: Low

Authentication: No required

Confidentiality impact: Partial

Integrity impact: Partial

Availability impact: Partial

dalogin 2.2 multiple vulnerabilites
app desc: Configurable WebSite. PHP + Mysql: news zone with rss feed,
private zone, languages, themes, administration panel
app source: http://dalogin.sourceforge.net/
author: hc0
[1] config file disclosure
you can access config.ini file from [path]/admin/include/config.ini
this file contains mysql connection informations (user, pass, host etc..)
its says "come here and ownz by box!!"
[2] sql injection
at line 115 requested http parameter id use in sql query without filtering.
114 - //LEER COMENTARIOS
115 - $Sql="SELECT * from news_comments WHERE id_new=".$_REQUEST['id']."
AND state=1";
116 - $result_comments = mysql_query($Sql);
117 - while ($row_comments=mysql_fetch_array($result_comments))
118 - {
119 - echo '<table class="CommentTable">';
120 - echo '<tr>
121 - <td
width="100px">'.strftime(DATE_TIME_FORMAT,strtotime($row_comments['date_comment'])).'
122 - <br /><b>'.$row_comments['user_name'].'</b>
123 - </td>
124 - <td class="CommentTableImg">
125 - '.$row_comments['comment'].'
126 - </td>
127 - </tr>';
128 - echo '</table><br />';
129 - }
[3] xss
181 - function InsertComment()
182 - {
183 - global $link;
184 - $Sql="INSERT INTO news_comments
(id_new,comment,date_comment,state,user_name) VALUES
(".$_REQUEST['id'].",'".$_POST['comment_text']."',Now(),0,'".$_POST['comment_user']."')";
185 - mysql_query($Sql);
186 - echo '<div class="CommentAlert" style=" background-color:
#c5fbcd">'.COMMENT_SENT_LABEL.'</div>';
187 - }
you need post a comment that includes your xss attack payload and its saved
database. its so simple :)
[4] just for fun i'm so bored..................

References:

http://xforce.iss.net/xforce/xfdb/59390

http://www.securityfocus.com/bid/40810

http://www.exploit-db.com/exploits/13830/

http://secunia.com/advisories/40204

http://packetstormsecurity.org/1006-exploits/dalogin-sqlxssdisclose.txt

http://osvdb.org/65471

See this note in RAW Version

Vote for this issue:

50%

Thanks for you vote!

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.

Nick (*)

Email (*)

Video

Text (*)

(*) - required fields.

{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1

{{ x.comment }}

Dalogin 2.2 Cross Site Scripting / File Disclosure / SQL Injection

References:

Thanks for you vote!

Thanks for you comment!Your message is in quarantine 48 hours.

Thanks for you comment!
Your message is in quarantine 48 hours.