High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in HTML-EDIT CMS which could be exploited to perform cross-site scripting and SQL injection attacks.
Cross-site scripting (XSS) vulnerability in HTML-EDIT CMS: CVE-2010-4610
The vulnerability exists due to input sanitation error in the “error” parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
http://[host]/index.php?error=<script>alert(document.cookie)</script>
SQL injection vulnerabilities in HTML-EDIT CMS: CVE-2010-4609
The vulnerability exists due to input sanitation errors in the “nuser” parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
<form action=“http://[host]/index.php?pageid=ext&ext=login&extpage=registrate” method=“post” name=“main” >
<input type=“hidden” name=“nuser” value=“123’SQL_CODE”/>
<input type=“hidden” name=“npass” value=“password”/>
<input type=“hidden” name=“renpass” value=“password”/>
<input type=“hidden” name=“gvrg” value=“1”/>
<input type=“hidden” name=“antw” value=“2”/>
<input type=“hidden” name=“email” value="[email protected]"/>
<input type=“submit” value=“Registrate” name=“submit” />
</form>
Installation path disclosure weakness in HTML-EDIT CMS: CVE-2010-4611
The weakness was found in the includes/core_files/pages.php, includes/core_files/menu.php and extensions/login/frontend/pages/antihacker.php scripts. A remote attacker can obtain knowledge of the application`s installation folder by directly accessing the vulnerable scripts.
CPE | Name | Operator | Version |
---|---|---|---|
html-edit cms | le | 3.1.8 |