Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:15113
HistoryNov 17, 2006 - 12:00 a.m.

Etomite CMS 0.6.1.2 Multiple Vulnerabilities ( Sql Injection + Local file inclusion )

2006-11-1700:00:00
vulners.com
4

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Etomite CMS 0.6.1.2 Multiple Vulnerabilities

Severity : Medium risk
Vendor : www.etomite.org
Author : Alfredo Pesoli 'revenge'

[--------------------------------------------------]

[#] Description

Etomite is a PHP Content Management System, more info can be found at
vendor site.

Etomite is vulnerable to a sql injection and a local file inclusion.

[--------------------------------------------------]

Vuln #1 : Sql Injection
Impact : Admin credentials disclosure
Exploit : http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl

The "id" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.

Successful exploitation requires magic_quotes_gpc = off.

The problem is due to:
[ /path_to_etomite/index.php ]


function getDocumentIdentifier($method) {
// function to test the query and find the retrieval method
switch($method) {
case "alias" :
return strip_tags($_REQUEST['q']);
break;
case "id" :
—> return strip_tags($_REQUEST['id']); <—
break;



}
}

strip_tags can't filter some kind of characters and is used only to
escape html/php tags, it is better to use another function to filter
user input.

[--------------------------------------------------]

Vuln #2: Local File Inclusion / Remote Command Execution
Impact : System Access, requires admin credentials
Exploit: http://www.0xcafababe.it/sploits/etm_0612_remote_com.pl

Input passed to the 'f' parameter in "/manager/index.php" isn't properly
verified before being used to include files, this can be exploited
to include local files on target host or execute command, need admin
credentials to exploit this vuln.



//
/* frame management - show the requested frame */
/
/
case "1" :
// get the requested frame
$frame=$_REQUEST['f'];
if($frame>9) {
$enable_debug=false; // this is to stop the debug thingy being
attached to the framesets
}

  • –> include_once "frames/".$frame.".php"; <–
    break;

[#] Workaround

magic_quotes_gpc on will fix the first vulnerability (sql injection),
for the second (local file inclusion) edit the source code to
ensure
that input is properly sanitised in ("/manager/index.php").

[#] Disclosure timeline

2006/10/30 Bugs discovered
2006/10/31 Vendor contacted, no response
2006/11/15 Public Disclosure

Alfredo Pesoli 'revenge'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFXF5UcLZvqfjeuvcRAgB6AJ9kMzmX+QAjqcxa4UdoniD4cuS9/gCfYbSE
u32LGg7VcdedG29hYXqPclY=
=MLnx
-----END PGP SIGNATURE-----