From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 1 Oct 2006 09:04:22 +0200
Subject: [UNIX] ConPresso CMS Multiple XSS and SQL Injection Issues
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061001080131.5F50757B8@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
ConPresso CMS Multiple XSS and SQL Injection Issues
------------------------------------------------------------------------
SUMMARY
<http://www.conpresso.com/>; ConPresso CMS is "a well known content
management system". Multiple security vulnerabilities have been discovered
in ConPresso CMS system allowing remote attackers to inject arbitrary HTML
and/or JavaScript and to change the execution path of SQL queries.
DETAILS
Vulnerable Systems:
* ConPresso CMS version 4.0.4a and prior
Immune Systems:
* ConPresso CMS version 4.0.5a
XSS:
Input passed directly to the "nr" parameter in "detail.php", the "msg"
parameter in "db_mysql.inc.php" and the "pos" parameter in "index.php" is
not properly sanitized before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's browser
session in context of an affected site.
SQL injection:
Input passed directly to the "nr" parameter in "index.php" is not properly
sanitized before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
Workaround:
Edit the source code to ensure that input is properly sanitized. You
should work with "htmlspecialchars()" or "htmlentities()" php-function to
ensure that HTML tags are not going to be executed. You should also work
with the "mysql_real_escape_string()" or "addslashes()" php-function to
ensure that SQL statements can't be delivered over the "get" variables.
Further it is recommend to set off the "register globals" option in the
"php.ini" on your webserver.
Example:
<?php
$pass = htmlentities($_POST['pass']);
$test = htmlspecialchars($_GET('test'));
$id = intval($_POST['id']);
?>
History/Timeline:
30.07.2006 - discovery of the vulnerability
02.08.2006 - additional tests with other versions
03.08.2006 - contacted the vendor
04.08.2006 - the vendor contacted me(response)
05.08.2006 - vendor confirmed the bugs
19.09.2006 - new(fixed) version 4.0.5a is available
26.09.2006 - advisory is written
ADDITIONAL INFORMATION
The information has been provided by David Vieira-Kurz.
The original article can be found at:
<http://www.majorsecurity.de/index_2.php?major_rls=major_rls28>;
http://www.majorsecurity.de/index_2.php?major_rls=major_rls28
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
