-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Etomite CMS 0.6.1.2 Multiple Vulnerabilities
Severity : Medium risk
Vendor : www.etomite.org
Author : Alfredo Pesoli 'revenge'
[--------------------------------------------------]
[#] Description
Etomite is a PHP Content Management System, more info can be found at
vendor site.
Etomite is vulnerable to a sql injection and a local file inclusion.
[--------------------------------------------------]
Vuln #1 : Sql Injection
Impact : Admin credentials disclosure
Exploit : http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl
The "id" parameter in "index.php" isn't properly sanitised before
being used in a sql query, this can be exploited to manipulate existing
SQL query by inserting arbitrary SQL code, which can disclose sensitive
information like admin credentials.
Successful exploitation requires magic_quotes_gpc = off.
The problem is due to:
[ /path_to_etomite/index.php ]
…
…
function getDocumentIdentifier($method) {
// function to test the query and find the retrieval method
switch($method) {
case "alias" :
return strip_tags($_REQUEST['q']);
break;
case "id" :
—> return strip_tags($_REQUEST['id']); <—
break;
…
…
…
}
}
strip_tags can't filter some kind of characters and is used only to
escape html/php tags, it is better to use another function to filter
user input.
[--------------------------------------------------]
Vuln #2: Local File Inclusion / Remote Command Execution
Impact : System Access, requires admin credentials
Exploit: http://www.0xcafababe.it/sploits/etm_0612_remote_com.pl
Input passed to the 'f' parameter in "/manager/index.php" isn't properly
verified before being used to include files, this can be exploited
to include local files on target host or execute command, need admin
credentials to exploit this vuln.
…
…
//
/* frame management - show the requested frame */
//
case "1" :
// get the requested frame
$frame=$_REQUEST['f'];
if($frame>9) {
$enable_debug=false; // this is to stop the debug thingy being
attached to the framesets
}
[#] Workaround
magic_quotes_gpc on will fix the first vulnerability (sql injection),
for the second (local file inclusion) edit the source code to
ensure
that input is properly sanitised in ("/manager/index.php").
[#] Disclosure timeline
2006/10/30 Bugs discovered
2006/10/31 Vendor contacted, no response
2006/11/15 Public Disclosure
Alfredo Pesoli 'revenge'
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFXF5UcLZvqfjeuvcRAgB6AJ9kMzmX+QAjqcxa4UdoniD4cuS9/gCfYbSE
u32LGg7VcdedG29hYXqPclY=
=MLnx
-----END PGP SIGNATURE-----