Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:23069
HistoryJan 19, 2010 - 12:00 a.m.

ezContents CMS Multiple Vulnerabilities

2010-01-1900:00:00
vulners.com
209
JSON

##########################www.BugReport.ir########################################

AmnPardaz Security Research Team

Title: ezContents CMS Multiple Vulnerabilities

Vendor: http://ezcontents.org/

Vulnerable Version: 2.0.3 (and prior versions)

Exploitation: Remote with browser

Fix: N/A

###################################################################################

####################

  • Description:
    ####################

ezContents is a nice PHP CMS which allow management of dynamic
contents and web publishing.

####################

  • Vulnerability:
    ####################

±-> SQL Injection
Most of GET and POST parameters are not sanitized before being used in
SQL query.

Vulnerable Pages/Affected Parameters:

  • 'admin/adminlogin.php'/'login'
  • 'bannerclick.php'/'id'
  • 'comments.php'/'article'
  • 'control.php'/'topgroupname' and 'groupname'
  • 'headeruserdata.php'/'topgroupname' and 'groupname'
  • 'login.php'/'subgroupname' and 'groupname' and 'topgroupname' and 'login'
  • 'menu.php'/'groupname' and 'topgroupname'
  • 'module.php'/'topgroupname' and 'groupname'
  • 'modules/diary/m_diaryform.php'/'DiaryID'
  • 'modules/diary/showdiary.php'/'month' and 'year'
  • 'modules/diary/showdiarydetail.php'/'diaryid'
  • 'modules/gallery/m_galleryform.php'/'galleryID'
  • 'modules/gallery/showgallerydetails.php'/'galleryid'
  • 'modules/links/m_linksform.php'/'GuestbookID'
  • 'modules/guestbook/m_guestbookform.php'/'LinkID'
  • 'modules/modfunctions.php'/'topgroupname'
  • 'modules/news/m_news.php'/'NewsID'
  • 'modules/news/shownewsdetails.php'/'newsid'
  • 'modules/poll/m_pollform.php'/'PollID'
  • 'modules/poll/m_polloptiondel.php'/'PollOptionID'
  • 'modules/poll/m_polloptions.php'/'PollID'
  • 'modules/poll/m_polloptionsform.php'/'PollOptionID'
  • 'modules/reviews/m_reviewsform.php'/'reviewsID'
  • 'modules/reviews/showreviewdetails.php'/'reviewsid'
  • 'printer.php'/'article'
  • 'rateit.php'/'article'
  • 'selectsite.php'/'Site'
  • 'selecttheme.php'/'Theme'
  • 'showcontents.php'/'groupname' and 'subgroupname' and 'topgroupname'
  • 'showdetails.php'/'contentname'
  • 'userinfo.php'/'topgroupname'

±-> Authentication Bypass
Authentication Bypass in 'comments.php'. No check for login performed.

####################

  • Exploits/PoCs:
    ####################

      The admin password can be extracted using timing attack.
  The general SQL Injection vector for exploiting login page
  is:
      admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1
  In the above vector @Condition can be replaced with any boolean
  experation and in case of true value page will have a sensible wait
  before starting transfer phase.
  For extracting password, we first find the length of password
  using 'length(userpassword)>**' as @Condition and binary search on
  ** pass length.
  Then we can find i-th character of the password using
  "substring(userpassword,i,1) > '*'" as @Condition and binary search
  on the * as characters.

####################

  • Solution:
    ####################

Edit the source code to ensure that inputs are properly sanitized.

####################

  • Original Advisory:
    ####################

http://www.bugreport.ir/index_65.htm

####################

JSON