TUCoPS :: Web :: CMS / Portals :: b06-5824.htm

Etomite CMS Multiple Vulnerabilities ( Sql Injection + Local file inclusion )
Etomite CMS Multiple Vulnerabilities ( Sql Injection + Local file inclusion )
Etomite CMS Multiple Vulnerabilities ( Sql Injection + Local file inclusion )

Hash: SHA1

Etomite CMS Multiple Vulnerabilities

Severity : Medium risk
Vendor : www.etomite.org 
Author   : Alfredo Pesoli 'revenge'


[#] Description

Etomite is a PHP Content Management System, more info can be found at
vendor site.

Etomite is vulnerable to a sql injection and a local file inclusion.


Vuln #1  : Sql Injection
Impact   : Admin credentials disclosure
Exploit : http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl 

The "id" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.

Successful exploitation requires magic_quotes_gpc = off.

The problem is due to:
[ /path_to_etomite/index.php ]
function getDocumentIdentifier($method) {
  // function to test the query and find the retrieval method
    switch($method) {
      case "alias" :
        return strip_tags($_REQUEST['q']);
      case "id" :
 --->    return strip_tags($_REQUEST['id']);    <---

strip_tags can't filter some kind of characters and is used only to
escape html/php tags, it is better to use another function to filter
user input.


Vuln #2: Local File Inclusion / Remote Command Execution
Impact : System Access, requires admin credentials
Exploit: http://www.0xcafababe.it/sploits/etm_0612_remote_com.pl 

Input passed to the 'f' parameter in "/manager/index.php" isn't properly
verified before being used to include files, this can be exploited
to include local files on target host or execute command, need admin
credentials to exploit this vuln.

/* frame management - show the requested frame            */
  case "1" :
    // get the requested frame
    if($frame>9) {
      $enable_debug=false;   // this is to stop the debug thingy being
attached to the framesets
- --> include_once "frames/".$frame.".php";   <--

[#] Workaround

magic_quotes_gpc on will fix the first vulnerability (sql injection),
for the second (local file inclusion) edit the source code to
that input is properly sanitised in ("/manager/index.php").

[#] Disclosure timeline

2006/10/30 Bugs discovered
2006/10/31 Vendor contacted, no response
2006/11/15 Public Disclosure

Alfredo Pesoli 'revenge'
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986- AOH