leaftec CMS - Multiple vulnerabilities

ID EDB-ID:11889
Type exploitdb
Reporter Valentin
Modified 2010-03-26T00:00:00


leaftec cms multiple vulnerabilities. Webapps exploit for php platform

                                            # Exploit Title: leaftec cms multiple vulnerabilities
# Date: 21.03.2010
# Author: Valentin Höbel
# Version: 
# Tested on: Debian etch 
# CVE :  
# Code : 

:: General information
:: leaftec cms multiple vulnerabilities discovered
:: by Valentin Höbel
:: valentin@xenuser.org

:: Product information
:: Name = leaftec cms
:: Vendor = leaftec
:: Vendor Website = http://www.leaftec.de/
:: About the product = http://www.leaftec.de/serv_cms.php
:: Affected versions = 
:: Google dork: e.g. "© 2006 leaftec Design"

:: Vulnerabilities

#1 SQL Injection
Sadly the CMS is not available for free download but some German companies are using it.
leaftec cms contains a blog feature which displays written content, file: article.php. 

Vulnerable URL:

Examples for testing and injecting SQL stuff:
(Tested on a live website using leaftec cms.)

#2 XSS / HTML Code Injection
Several parts of the CMS allow HTML and Java Script code injection, e.g. the login box.
After submitting the form the cms puts a red border around the login and password field but
also implements the injected code into the website.

Example for HTML code:
"><iframe src=http://www.google.de></iframe>

:: Additional information
:: Vendor contacted = 21.03.2010
:: Vulnerabilities fixed = no reply received
:: Solution = Upgrade to version XX or higher if available