From: SecuriTeam <support@securiteam.com.>
To: [email protected]
Date: 20 Nov 2006 12:26:41 +0200
Subject: [UNIX] dev4u CMS Multiple SQL Injection and Cross Site Scripting Issues
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-Id: <20061120103614.AE4A15794@mail.tyumen.ru.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
dev4u CMS Multiple SQL Injection and Cross Site Scripting Issues
------------------------------------------------------------------------
SUMMARY
<http://www.dev4u.de/>; dev4u CMS is "a well known German Content
Management System". Multiple vulnerabilities have been discovered in dev4u
CMS system, allowing a remote attacker to cause the product to execute
arbitrary SQL statements as well as include arbitrary HTML and/or
JavaScript into existing web pages.
DETAILS
Cross Site Scripting:
Input passed directly to the "user_name", "passwort" and "go_target"
parameter in "index.php" is not properly sanitized before being returned
to the user. This can be exploited to execute arbitrary HTML and script
code in a user's browser session in context of an affected site.
SQL Injection:
Input passed directly to the "seite_id", "gruppe_id.php" and "go_target"
parameter in "index.php" is not properly sanitized before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Solution:
Edit the source code to ensure that input is properly sanitized. You
should work with "htmlspecialchars()" or "htmlentities()" php-function to
ensure that HTML tags are not going to be executed. You should also work
with the "intval()" and "mysql_real_escape_string()" or "addslashes()"
php-function to ensure that SQL statements can't be delivered over the
"get" variables. Further it is recommend to set off the "register globals"
option in the "php.ini" on your webserver.
Example:
$pass = htmlentities($_POST['pass']);
$test = htmlspecialchars($_GET('test'));
$id = intval($_POST['id']);
?>
History/Timeline:
11.11.2006 discovery of the vulnerabilities
11.11.2006 additional tests with other versions
12.11.2006 contacted the vendor
18.11.2006 advisory is written
18.11.2006 advisory released
ADDITIONAL INFORMATION
The information has been provided by MajorSecurity.
The original article can be found at:
<http://www.majorsecurity.de/index_2.php?major_rls=major_rls36>;
http://www.majorsecurity.de/index_2.php?major_rls=major_rls36
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
