EmbryoCore CMS 1.03 SQL Injection

`Title:  
======  
EmbryoCore CMS v1.03 - Multiple Web Vulnerabilities  
  
  
Date:  
=====  
2012-04-14  
  
  
References:  
===========  
http://www.vulnerability-lab.com/get_content.php?id=503  
  
  
VL-ID:  
=====  
503  
  
  
Introduction:  
=============  
EmbryoCore is a blog / content management system written using PHP5 s newest features. Highly   
customizable, XHTML:Strict compliant, with full integration of jQuery for dynamic ajax-powered content.  
  
Completely XHTML Strict compliant  
Pure CSS layouts  
Drag and drop interface for moving content around  
Static page and article entry for non-blog content  
Ajax comments system  
Ajax multi-page articles  
Ajax file manager with upload and auto-thumbnailing for images  
Ajax gallery system  
Post priviledges - every post can be configured to be seen by only guests, administrators, members etc  
Ratings and comments can be enabled or disabled on a per post basis  
Spam protection - configurable time-outs for disallowing posts within a certain time from visiting site and   
from last post made etc, also online post checking with TypePad AntiSpam  
Advanced theme templating system means you can change the look of your site with a single click, and   
building new themes is simplicity itself  
WYSIWYG editor for simple content entry  
Full categorization with sub-categories  
Cross blog communication with built in pingback  
Syndication with dynamic RSS creation for posts, comments etc  
Search engine friendly URL s  
Cache system reduces server load and speeds up page loads  
Automatic updating from the admin area  
Automatic installation of themes, plugins etc, no FTP access required  
  
Fully object orientated code  
Fully event driven  
Takes full advantage of PHP5 s new features  
Full integration with jQuery, including popular plugins like Shadowbox  
Uses PHP5 s inbuilt PDO (PHP Data Objects) class, and the powerful abstraction layer means building queries is a breeze  
Create as many sub-sites as you want from your admin area, all running off the same core code  
  
(Copy of the Vendor Homepage: http://embryocore.sourceforge.net/ )  
  
  
Abstract:  
=========  
The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in EmbryoCore v1.03.  
  
  
Report-Timeline:  
================  
2012-04-14: Public or Non-Public Disclosure  
  
  
Status:  
========  
Published  
  
  
Exploitation-Technique:  
=======================  
Remote  
  
  
Severity:  
=========  
High  
  
  
Details:  
========  
1.1  
A remote SQL Injection vulnerability (POST) is detected in EmbryoCore v1.03 content management system.  
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands   
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.  
The vulnerability is located on the username post method.  
  
Vulnerable Module(s):  
[+] Add User or Register User Request (POST) [embryocore/index.php?event=admin:auser]  
  
  
--- SQL Exception Logs ---  
<div style=``display: none; opacity: 1;`` id=``kmessage`` class=``no-display``><img src=``  
content/themes/admin/images/apply.png`` alt=``> <strong>EmbryoCore Fatal Database error:</strong> [42000]:   
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server   
version for the right syntax to use near ``=> ``></div>  
  
  
Picture(s):  
../1.png  
  
  
  
1.2  
A persistent input validation vulnerability is detected in the EmbryoCore v1.03 web application.  
The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent).  
Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent)   
context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list.  
The user includes his scriptcode as profile name and the code is getting executed on the administrator section   
persistent.  
  
  
Vulnerable Module(s):  
[+] Profil & Username Input Field  
[-] Admin Control Panel - User Listing   
  
  
Picture(s):  
../2.png  
../3.png  
  
  
Proof of Concept:  
=================  
The sql injection vulnerability can be exploited by remote attackers without inter action or local low   
privileged user accounts. For demonstration or reproduce ...  
  
  
1.1  
To inject the sql command implement your statement on the user input fields and send it with the request (POST Method).  
The return will be the error or successful query of the application dbms.  
  
POST: /embryocore/index.php?ajax=admin:auser&mode=createNewUser HTTP/1.1  
POC: user_displayname=[SQL-INJECTION]&user_login=test2&[email protected]&user_password=123456&user_cpassword=hack4best  
  
  
1.2  
The persistent input validation vulnerability can be exploited by remote attackers without inter action   
or local low privileged   
user accounts. Successful exploitation requires low user inter action because the admin only have to review the user listing.   
For demonstration or reproduce ...  
  
User Listing PoC:  
<tr><td style="width: 1%; vertical-align: top;"><img src="http://www.gravatar.com/avatar.php?gravatar_id=  
56f8d37b176ad6e9dc45e7923d1296ce&default=http%3A%2F%2Fxxx.com%2Fembryocore%2Flibs%2F  
modules%2Ftemplate%2Fimages%2Fdefault_gravatar.png" alt="gravatar" style="width: 45px;">​​​​​</td><td style="  
width: 15%; vertical-align: top;"><div class="list-title"><strong>-2</strong></div>"><iframe src="  
http://www.vulnerability-lab.com" width"500"="" height="500"><br />91.37.89.26</td><td style='  
width: 20%; vertical-align: top;'>Joined:<br />Monday 09th April 2012, 04:33am</td><td   
style='width: 20%; vertical-align: top;'>Last Visit:<br />-</td><td style='width: 20%;   
vertical-align: top;'>Last Post:<br />-</td><td style='width: 2%; vertical-align: top;   
text-align: right;'><img src='http://xxx.com/embryocore/content/themes/admin/images/comment.png'   
alt='comments' title='comments' /> 0</td></tr>  
<tr>  
  
  
Risk:  
=====  
1.1  
The security risk of the sql injection vulnerability via post method is estimated as high(-).  
  
1.2  
The security risk of the persistent vulnerability is estimated as medium(+).  
  
  
Credits:  
========  
Vulnerability Research Laboratory - Kevin J. (Silent_0x)  
  
  
Disclaimer:  
===========  
The information provided in this advisory is provided as it is without any warranty. Vulnerability-Lab disclaims all warranties,   
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-  
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business   
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some   
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation   
may not apply. Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability-  
Lab. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of   
other media, are reserved by Vulnerability-Lab or its suppliers.  
  
Copyright © 2012 Vulnerability-Lab  
  
  
  
  
--   
VULNERABILITY RESEARCH LABORATORY TEAM  
Website: www.vulnerability-lab.com  
Mail: [email protected]  
  
`