Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24713
HistorySep 12, 2010 - 12:00 a.m.

chillyCMS Multiple Vulnerabilities

2010-09-1200:00:00
vulners.com
25
JSON

##########################www.BugReport.ir########################################

AmnPardaz Security Research Team

Title: chillyCMS Multiple Vulnerabilities

Vendor: http://frozenpepper.de/

Vulnerable Version: 1.1.3 (Latest version till now)

Exploitation: Remote with browser

Fix: N/A

###################################################################################

####################

  • Description:
    ####################

chillyCMS is a Content Management System. Its main features are:
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click
backup with integrated installer,
extend your cms with various modules, see which articles are most
popular in the statistics.

####################

  • Vulnerability:
    ####################

±-> SQL Injection
The username, in the login form, is one-parenthesis single-quoted
injectable. For details check
the PoC section.

±-> Reflective XSS
Whenever login failed, the username will be printed without
sanitizing on the main page. This could
be used for executing any JavaScript code.

####################

  • Exploits/PoCs:
    ####################

±-> Exploiting The (MySQL) SQL Injection Vulnerability:
Simply go to the login page at
'victim.com/chillyCMS/core/show.site.php' and use
the following vector for injecting arbitrary queries:
') or $THE_QUERY or 1=('
For example you may use following vector for extracting the pw field
(for password) of the admin user
admin')and substr(pw,I,1)=('C
replacing the I with the index of char in a loop and C with different
characters of it. If the query result
was true, username will be accepted and wrong password error will be
shown. If the query result was false,
then username will be rejected and the wrong username error will be
shown. Allowing blind SQL injection
to be performed.

±-> Exploiting The Reflective XSS Vulnerability:
Use the following sample vector in the username field of the login
page (or any other valid JavaScript
code) => username: <script>alert('XSS')</script>

####################

  • Solution:
    ####################

White-list the input parameters before using them in the SQL queries,
removing any ', \, ( characters
or more simply restrict the parameters' length to a small length.

####################

JSON