Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: bu-1516.htm

ezContents CMS Multiple Vulnerabilities



ezContents CMS Multiple Vulnerabilities
ezContents CMS Multiple Vulnerabilities



##########################www.BugReport.ir######################################## 
#
#        AmnPardaz Security Research Team
#
# Title:=09=09ezContents CMS Multiple Vulnerabilities
# Vendor:=09=09http://ezcontents.org/ 
# Vulnerable Version:=092.0.3 (and prior versions)
# Exploitation:=09=09Remote with browser
# Fix:=09=09=09N/A
###################################################################################

####################
- Description:
####################

ezContents is a nice PHP CMS which allow management of dynamic  
contents and web publishing.

####################
- Vulnerability:
####################

+--> SQL Injection
Most of GET and POST parameters are not sanitized before being used in  
SQL query.

Vulnerable Pages/Affected Parameters:
  - 'admin/adminlogin.php'/'login'
  - 'bannerclick.php'/'id'
  - 'comments.php'/'article'
  - 'control.php'/'topgroupname' and 'groupname'
  - 'headeruserdata.php'/'topgroupname' and 'groupname'
  - 'login.php'/'subgroupname' and 'groupname' and 'topgroupname' and 'login'
  - 'menu.php'/'groupname' and 'topgroupname'
  - 'module.php'/'topgroupname' and 'groupname'
  - 'modules/diary/m_diaryform.php'/'DiaryID'
  - 'modules/diary/showdiary.php'/'month' and 'year'
  - 'modules/diary/showdiarydetail.php'/'diaryid'
  - 'modules/gallery/m_galleryform.php'/'galleryID'
  - 'modules/gallery/showgallerydetails.php'/'galleryid'
  - 'modules/links/m_linksform.php'/'GuestbookID'
  - 'modules/guestbook/m_guestbookform.php'/'LinkID'
  - 'modules/modfunctions.php'/'topgroupname'
  - 'modules/news/m_news.php'/'NewsID'
  - 'modules/news/shownewsdetails.php'/'newsid'
  - 'modules/poll/m_pollform.php'/'PollID'
  - 'modules/poll/m_polloptiondel.php'/'PollOptionID'
  - 'modules/poll/m_polloptions.php'/'PollID'
  - 'modules/poll/m_polloptionsform.php'/'PollOptionID'
  - 'modules/reviews/m_reviewsform.php'/'reviewsID'
  - 'modules/reviews/showreviewdetails.php'/'reviewsid'
  - 'printer.php'/'article'
  - 'rateit.php'/'article'
  - 'selectsite.php'/'Site'
  - 'selecttheme.php'/'Theme'
  - 'showcontents.php'/'groupname' and 'subgroupname' and 'topgroupname'
  - 'showdetails.php'/'contentname'
  - 'userinfo.php'/'topgroupname'

+--> Authentication Bypass
Authentication Bypass in 'comments.php'. No check for login performed.


####################
- Exploits/PoCs:
####################

=09The admin password can be extracted using timing attack.
=09The general SQL Injection vector for exploiting login page
=09is:
=09    admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1
=09In the above vector @Condition can be replaced with any boolean
=09experation and in case of true value page will have a sensible wait
=09before starting transfer phase.
=09For extracting password, we first find the length of password
=09using 'length(userpassword)>**' as @Condition and binary search on
=09** pass length.
=09Then we can find i-th character of the password using
=09"substring(userpassword,i,1) > '*'" as @Condition and binary search
=09on the * as characters.

####################
- Solution:
####################

Edit the source code to ensure that inputs are properly sanitized.

####################
- Original Advisory:
####################

http://www.bugreport.ir/index_65.htm 

####################
- Credit:
####################
AmnPardaz Security Research Team
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir 
www.AmnPardaz.com 



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH