|
======================================================================
Secunia Research 29/12/2009
- AproxEngine Multiple Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* AproxEngine 5.3.04
* AproxEngine 6.0
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Moderately critical
Impact: SQL Injection
Cross-Site Scripting
Manipulation of Data
Spoofing
Where: Remote
======================================================================
3) Vendor's Description of Software
"Die APROXEngine ist ein von uns entwickeltes Content-Management-
System(CMS). Einfach gesagt, ist ein CMS ein Baukastensystem zur
Erstellung, Wartung, Verwaltung von Internetseiten."
Product Link:
http://www.aprox.de/
======================================================================
4) Description of Vulnerability
Secunia Research has discovered some vulnerabilities in AproxEngine,
which can be exploited by malicious users to manipulate certain data,
conduct spoofing, SQL injection, and script insertion attacks and by
malicious people to conduct SQL injection and script insertion
attacks.
1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
be exploited to insert arbitrary HTML and script code, which will be
executed in a user's browser session in context of an affected site
when the malicious data is being viewed.
3) Input passed via the "art" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
4) Input passed via the "Referer" HTTP header to index.php is not
properly sanitised before being used in an SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
5) Input passed to the "datei" parameter in /engine/inc/
galerie_unlink.php is not properly verified before being used to
delete image files. This can be exploited to delete arbitrary files
via directory traversal attacks.
Successful exploitation of this vulnerability requires administrative
privileges.
6) Input passed to the "del_verz" parameter in /engine/inc/
galerie_del_verz.php is not properly verified before being used to
delete galleries. This can be exploited to delete arbitrary
directories via directory traversal attacks.
Successful exploitation of this vulnerability requires administrative
privileges.
7) Input passed via the "from" parameter to index.php (when "page" is
set to "sql_postfach" and "action" is set to "new") is not properly
verified before being used to send mails to users. This can be
exploited to e.g. spoof mails from the administrator.
8) Input passed via the "to", "betreff", and "elm1" parameters to
index.php (when "page" is set to "sql_postfach" and "action" is set to
"new") is not properly sanitised before being used in an SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary
SQL code.
9) Input passed via various parameters to index.php (when "page" is
set to "sql_profil" and "action" is set to "list") is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of this vulnerability on version 6.0 requires
administrative privileges.
10) Input passed via the "generator", "author", "description", and
"keywords" parameters to index.php (when "page" is set to
"user_html_ed" and "action" is set to "open") is not properly
sanitised before being used in an SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
11) Input passed via the "generator", "author", "description", and
"keywords" parameters to index.php (when "page" is set to
"user_html_ed" and "action" is set to "open") is not properly
sanitised before being displayed to the user. This can be exploited
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.
12) Input passed via the "mail" parameter to index.php (when "page" is
set to "sql_profil" and "action" is set to "list") is not properly
sanitised before being displayed to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.
Successful exploitation of this vulnerability on version 6.0 requires
administrative privileges.
13) Input passed via the "betreff" parameter to index.php (when "page"
is set to "sql_postfach" and "action" is set to "new") is not properly
sanitised before being displayed to the user. This can be exploited to
insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the
malicious data is being viewed.
The vulnerabilities are confirmed in versions 5.3.04 and 6.0. Other
versions may also be affected.
NOTE: Successful exploitation of all vulnerabilities except #5 and #6
requires that "magic_quotes_gpc" is disabled.
======================================================================
5) Solution
Ensure that "magic_quotes_gpc" is enabled and grant only trusted users
administrative access to the application.
======================================================================
6) Time Table
04/12/2009 - Vendor notified.
23/12/2009 - Vendor notified again (2nd attempt).
29/12/2009 - Public disclosure.
======================================================================
7) Credits
Discovered by Chaitanya Sharma, Secunia.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has not
currently assigned any CVE identifiers for these vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-2/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
=====================================================================