From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 30 Aug 2006 15:14:00 +0200
Subject: [UNIX] CMS Mundo SQL Injection and File Upload Vulnerabilities
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20060830131258.10E4F574F@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
CMS Mundo SQL Injection and File Upload Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Secunia Research has discovered two vulnerabilities in CMS Mundo, which
can be exploited by malicious people to conduct SQL injection attacks and
compromise a vulnerable system.
DETAILS
Vulnerable Systems:
* CMS Mundo version 1.0 build 007
Immune Systems:
* CMS Mundo version 1.0 build 008
1) Input passed to the "username" parameter in "controlpanel/" during
login isn't properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This can further be exploited to bypass the authentication process and
access the administration section (by e.g. providing
"admin ' /*" as the username together with an empty password).
Successful exploitation requires that "magic_quotes_gpc" is disabled.
2) An input validation error in the image upload handling in the image
gallery can be exploited to upload arbitrary PHP scripts to a predictable
location inside the web root.
Successful exploitation requires access to the administration section.
A combination of vulnerabilities #1 and #2 can be exploited by a malicious
person to execute arbitrary PHP code on a vulnerable system.
The vulnerabilities have been confirmed in version 1.0 build 007. Prior
versions may also be affected.
Solution:
Update to version 1.0 build 008.
Time Table:
30/05/2006 - Initial vendor notification.
30/05/2006 - Vendor confirms vulnerabilities.
14/06/2006 - Public disclosure.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2911>;
CVE-2006-2911,
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2931>;
CVE-2006-2931
ADDITIONAL INFORMATION
The information has been provided by <mailto:vuln-remove@secunia.com.>
Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2006-43/advisory/>;
http://secunia.com/secunia_research/2006-43/advisory/
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
