Related information

Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

phpPC 1.04 Multiples Remote File Inclusion

Pearl Forums 2.4 Multiple Remote File Include Vulnerabilities

PhotoCart 3.9 (adminprint. php) Remote File Include Vulnerability

Vulnerability in PostNuke

From:	revenge <revenge_(at)_0xcafebabe.it>
Date:	22.11.2006
Subject:	ContentNow CMS 1.39 Sql Injection + Path Disclosure Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

ContentNow CMS 1.39 'pageid' Sql Injection + Path Disclosure

Severity : Medium Risk
Vendor   : http://www.contentnow.mf4k.de/
Author   : Revenge

[--------------------------------------------------]

[#] Description

ContentNow is a PHP Content Management System web 2.0 compliant, more
info can be found at vendor site.

ContentNow v1.39 is vulnerable to a sql injection and path disclosure.

[--------------------------------------------------]

Vuln #1  : Sql Injection
Impact   : Admin credentials disclosure
Exploit  : http://www.0xcafebabe.it/sploits/contentnow_139_sqlinj.pl
(Works regardless of magic quotes)

The "pageid" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.

The problem is due to:
[ index.php ]
...
...
// get/set id or startpageid from config
 -->   $pid = $_GET['pageid'];
       if (empty($pid) || $pid == 1) $pid =
$cnEngine->configArray[0]['startpageid'];

 -->   if (false == $cnEngine->checkPid($pid)) die ('<span
style="font:13px sans-serif;">Error loading site. No pid found.</span>');

       $cnEngine->setId($pid);
...
...

[ function checkPid($pid) and getActualContent($param) from
/cn/library/class.engine.php ]
...
...
function checkPid($pid) {
               $cnDatabase = NewADOConnection(ADODB_DB_TYPE);
               $cnDatabase->Connect(CN_DB_HOST, CN_DB_USER,
CN_DB_PASSWORD, CN_DB_NAME);
               $sql = "SELECT pageid FROM ".CN_TBL_SECTIONS." WHERE
pageid = ".$pid;
               $res = $cnDatabase->Execute($sql);
               if ($res->RecordCount() > 0) {
                       return true;
               } else {
                       return false;
               }
       }
...
...

function getActualContent($param = '') {
               $cnDatabase = NewADOConnection(ADODB_DB_TYPE);
               $cnDatabase->Connect(CN_DB_HOST, CN_DB_USER,
CN_DB_PASSWORD, CN_DB_NAME);
               $sql = "SELECT ".TABLE_FIELDS_CONTENT." FROM
".CN_TBL_CONTENT.$this->contentLanguageSuffix." WHERE pid =
".$this->pageid." AND deleted = 0 ".$param." ORDER by sort ASC";
               $res = $cnDatabase->Execute($sql);
               if ($res->RecordCount() > 0) {
                       while ($row = $res->FetchRow()) {
                               $row['contenttitle'] =
stripslashes($row['contenttitle']);
                               $row['contentsyskey'] =
stripslashes($row['contentsyskey']);
                               $row['contentsubtitle'] =
stripslashes($row['contentsubtitle']);
                               $row['content'] =
str_replace('\"','"',
$row['content']);
                               $contentArray[] = $row;
                       }
               }
               $this->contentArray = $contentArray;
               return $contentArray;
       }

As you can see there's no input validation on "pageid" parameter.

Vuln #2: It is also possible to disclose the full path to index.php by
requesting index.php?pageid='

[--------------------------------------------------]

[#] Solution

Download 1.40 version.

[#] Disclosure timeline

2006/11/20 Bug discovered
2006/11/20 Vendor contacted
2006/11/21 Vendor response
2006/11/21 New version 1.40 released
2006/11/21 Public Disclosure

Revenge

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFY0nJcLZvqfjeuvcRAlguAJ49Bdab5lNyX69OYmxIuzOb2yjvPwCcCq2+
OCNrT290ArsWjsqKG/Lk+OM=
=ICDL
-----END PGP SIGNATURE-----