Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15165
HistoryNov 22, 2006 - 12:00 a.m.

ContentNow CMS 1.39 Sql Injection + Path Disclosure Vulnerabilities

2006-11-2200:00:00
vulners.com
54
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ContentNow CMS 1.39 'pageid' Sql Injection + Path Disclosure

Severity : Medium Risk
Vendor : http://www.contentnow.mf4k.de/
Author : Revenge

[--------------------------------------------------]

[#] Description

ContentNow is a PHP Content Management System web 2.0 compliant, more
info can be found at vendor site.

ContentNow v1.39 is vulnerable to a sql injection and path disclosure.

[--------------------------------------------------]

Vuln #1 : Sql Injection
Impact : Admin credentials disclosure
Exploit : http://www.0xcafebabe.it/sploits/contentnow_139_sqlinj.pl
(Works regardless of magic quotes)

The "pageid" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.

The problem is due to:
[ index.php ]


// get/set id or startpageid from config
–> $pid = $_GET['pageid'];
if (empty($pid) || $pid == 1) $pid =
$cnEngine->configArray[0]['startpageid'];

–> if (false == $cnEngine->checkPid($pid)) die ('<span
style="font:13px sans-serif;">Error loading site. No pid found.</span>');

    $cnEngine-&gt;setId&#40;$pid&#41;;


[ function checkPid($pid) and getActualContent($param) from
/cn/library/class.engine.php ]


function checkPid($pid) {
$cnDatabase = NewADOConnection(ADODB_DB_TYPE);
$cnDatabase->Connect(CN_DB_HOST, CN_DB_USER,
CN_DB_PASSWORD, CN_DB_NAME);
$sql = "SELECT pageid FROM ".CN_TBL_SECTIONS." WHERE
pageid = ".$pid;
$res = $cnDatabase->Execute($sql);
if ($res->RecordCount() > 0) {
return true;
} else {
return false;
}
}

function getActualContent($param = '') {
$cnDatabase = NewADOConnection(ADODB_DB_TYPE);
$cnDatabase->Connect(CN_DB_HOST, CN_DB_USER,
CN_DB_PASSWORD, CN_DB_NAME);
$sql = "SELECT ".TABLE_FIELDS_CONTENT." FROM
".CN_TBL_CONTENT.$this->contentLanguageSuffix." WHERE pid =
".$this->pageid." AND deleted = 0 ".$param." ORDER by sort ASC";
$res = $cnDatabase->Execute($sql);
if ($res->RecordCount() > 0) {
while ($row = $res->FetchRow()) {
$row['contenttitle'] =
stripslashes($row['contenttitle']);
$row['contentsyskey'] =
stripslashes($row['contentsyskey']);
$row['contentsubtitle'] =
stripslashes($row['contentsubtitle']);
$row['content'] =
str_replace('\"','"',$row['content']);
$contentArray[] = $row;
}
}
$this->contentArray = $contentArray;
return $contentArray;
}

As you can see there's no input validation on "pageid" parameter.

Vuln #2: It is also possible to disclose the full path to index.php by
requesting index.php?pageid='

[--------------------------------------------------]

[#] Solution

Download 1.40 version.

[#] Disclosure timeline

2006/11/20 Bug discovered
2006/11/20 Vendor contacted
2006/11/21 Vendor response
2006/11/21 New version 1.40 released
2006/11/21 Public Disclosure

Revenge

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFY0nJcLZvqfjeuvcRAlguAJ49Bdab5lNyX69OYmxIuzOb2yjvPwCcCq2+
OCNrT290ArsWjsqKG/Lk+OM=
=ICDL
-----END PGP SIGNATURE-----

JSON