Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:22949
HistoryDec 16, 2009 - 12:00 a.m.

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

2009-12-1600:00:00
vulners.com
29
JSON

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

Name Family Connections
Vendor http://www.familycms.com
Versions Affected <= 2.1.3

Author Salvatore Fresta aka Drosophila
Website http://www.salvatorefresta.net
Contact salvatorefresta [at] gmail [dot] com
Date 2009-12-16

X. INDEX

I. ABOUT THE APPLICATION
II. DESCRIPTION
III. ANALYSIS
IV. SAMPLE CODE
V. FIX
VI. DISCLOSURE TIMELINE

I. ABOUT THE APPLICATION

Based on one of the world's leading structure and content
management systems - WebSiteAdmin, WSCreator (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.
Keep your family "Connected" with this content management
system (CMS) designed specifically with family's in mind.
Key features are: a message board, a photo gallery,
a blog-like "Family News" section, a calendar, an
address book and recipe sharing section.
Each family member has their own personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support…

II. DESCRIPTION

Many fields are not properly sanitised and some checks can
be bypassed.

III. ANALYSIS

Summary:

A) Multiple Blind SQL Injection
B) Multiple Arbitrary File Upload
C) Local File Inclusion

A) Blind SQL Injection

All field that I tested are vulnerable to Blind SQL
Injection.
I can't report all vulnerable files because they are many.
The most injections don't require that Magic Quotes GPC
(php.ini) is setted to Off.
However an attacker may try to exploit this vulnerability
using the full path disclosure released by the MySQL error
to write a file into the remote file system, using as
destination path the gallery directories, where the
permissions must be setted to 777.

B) Multiple Arbitrary File Upload

When we want to write a module to upload a file, we must
check the file extension without using the Content-Type
HTTP field, because this last one can be changed. This
CMS uses the Content-Type to validate the extension.

C) Local File Inclusion

In settings.php an user can set the favorite theme to use.
This theme is included using the include_once PHP function.
The original path is themes/ but using the directory
traversal sequence, an user can include arbitrary files.
There is a limit of characters to use, infact the theme
field into the database has a length limit equal to 25.

IV. SAMPLE CODE

A) Multiple Blind SQL Injection

http://site/path/profile.php?member=1 AND IF(ASCII((SELECT CHAR(90)))
= 90, BENCHMARK(10000000, MD5(0x90)), NULL)

http://site/path/messageboard.php?thread=1 AND 1=1
http://site/path/messageboard.php?thread=1 AND 1=0

B) Multiple Arbitrary File Upload

A PoC that upload a PHP shell can be downloaded here:
http://www.salvatorefresta.net/files/poc/PoC-FC213.c

C) Local File Inclusion

Edit the POST packet and send the modified theme value
like the following: …/ReadMe.txt\0

V. FIX

No Fix.

VIII. DISCLOSURE TIMELINE

2009-12-16 Bug discovered
2009-12-16 Initial vendor contact
2009-12-16 Advisory Release

JSON