The OpenNET Project
 
Search (keywords):  SOFT ARTICLES TIPS & TRICKS SECURITY
LINKS NEWS MAN DOCUMENTATION


Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local


<< Previous INDEX Search src / Print Next >>
Date: Thu, 16 Nov 2006 13:49:24 +0100
From: revenge <revenge@0xcafebabe.it.>
To: [email protected]
Subject: Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local
 file inclusion )
X-Enigmail-Version: 0.94.1.0
OpenPGP: id=F8DEBAF7
Content-Type: text/plain; charset=ISO-8859-15
Content-Transfer-Encoding: 7bit
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - a2s17.a2hosting.com
X-AntiAbuse: Original Domain - securityfocus.com
X-AntiAbuse: Originator/Caller UID/GID - [0 0] / [47 12]
X-AntiAbuse: Sender Address Domain - 0xcafebabe.it
X-Source: 
X-Source-Args: 
X-Source-Dir: 
X-Virus-Scanned: antivirus-gw at tyumen.ru

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Etomite CMS 0.6.1.2 Multiple Vulnerabilities

Severity : Medium risk
Vendor   : www.etomite.org
Author   : Alfredo Pesoli 'revenge'

[--------------------------------------------------]

[#] Description

Etomite is a PHP Content Management System, more info can be found at
vendor site.

Etomite is vulnerable to a sql injection and a local file inclusion.

[--------------------------------------------------]

Vuln #1  : Sql Injection
Impact   : Admin credentials disclosure
Exploit  : http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl

The "id" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.

Successful exploitation requires magic_quotes_gpc = off.

The problem is due to:
[ /path_to_etomite/index.php ]
...
...
function getDocumentIdentifier($method) {
  // function to test the query and find the retrieval method
    switch($method) {
      case "alias" :
        return strip_tags($_REQUEST['q']);
        break;
      case "id" :
 --->    return strip_tags($_REQUEST['id']);    <---
        break;
      ...
      ...
      ...
    }
  }

strip_tags can't filter some kind of characters and is used only to
escape html/php tags, it is better to use another function to filter
user input.

[--------------------------------------------------]

Vuln #2: Local File Inclusion / Remote Command Execution
Impact : System Access, requires admin credentials
Exploit: http://www.0xcafababe.it/sploits/etm_0612_remote_com.pl

Input passed to the 'f' parameter in "/manager/index.php" isn't properly
verified before being used to include files, this can be exploited
to include local files on target host or execute command, need admin
credentials to exploit this vuln.

...
...
/********************************************************************/
/* frame management - show the requested frame            */
/********************************************************************/
  case "1" :
    // get the requested frame
    $frame=$_REQUEST['f'];
    if($frame>9) {
      $enable_debug=false;   // this is to stop the debug thingy being
attached to the framesets
    }
- --> include_once "frames/".$frame.".php";   <--
  break;
...
...

[#] Workaround

magic_quotes_gpc on will fix the first vulnerability (sql injection),
for the second (local file inclusion) edit the source code to
ensure
that input is properly sanitised in ("/manager/index.php").

[#] Disclosure timeline

2006/10/30 Bugs discovered
2006/10/31 Vendor contacted, no response
2006/11/15 Public Disclosure

Alfredo Pesoli 'revenge'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXF5UcLZvqfjeuvcRAgB6AJ9kMzmX+QAjqcxa4UdoniD4cuS9/gCfYbSE
u32LGg7VcdedG29hYXqPclY=
=MLnx
-----END PGP SIGNATURE-----


<< Previous INDEX Search src / Print Next >>



Партнёры:
PostgresPro
Inferno Solutions
Hosting by Hoster.ru
Хостинг:

Закладки на сайте
Проследить за страницей
Created 1996-2025 by Maxim Chirkov
Добавить, Поддержать, Вебмастеру