Multiple Vulnerabilities in HTML-EDIT CMS

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in HTML-EDIT CMS which could be exploited to perform cross-site scripting and SQL injection attacks.

1. Cross-site scripting (XSS) vulnerability in HTML-EDIT CMS: CVE-2010-4610
   The vulnerability exists due to input sanitation error in the “error” parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
   Exploitation example:
   http://[host]/index.php?error=<script>alert(document.cookie)</script>

2. SQL injection vulnerabilities in HTML-EDIT CMS: CVE-2010-4609
   The vulnerability exists due to input sanitation errors in the “nuser” parameter in index.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
   Exploitation example:
   <form action=“http://[host]/index.php?pageid=ext&ext=login&extpage=registrate” method=“post” name=“main” >
   <input type=“hidden” name=“nuser” value=“123’SQL_CODE”/>
   <input type=“hidden” name=“npass” value=“password”/>
   <input type=“hidden” name=“renpass” value=“password”/>
   <input type=“hidden” name=“gvrg” value=“1”/>
   <input type=“hidden” name=“antw” value=“2”/>
   <input type=“hidden” name=“email” value="[email protected]"/>
   <input type=“submit” value=“Registrate” name=“submit” />
   </form>

3. Installation path disclosure weakness in HTML-EDIT CMS: CVE-2010-4611
   The weakness was found in the includes/core_files/pages.php, includes/core_files/menu.php and extensions/login/frontend/pages/antihacker.php scripts. A remote attacker can obtain knowledge of the application`s installation folder by directly accessing the vulnerable scripts.