arcadem-sql.txt

`Arcadem Remote File Inclusion Flaw / SQL Injection  
  
Software: Arcadem 2.01  
Vendor link: http://agaresmedia.com  
Attack: Remote File Inclusion / SQL Injection  
Original advisory:  
http://14house.blogspot.com/2007/08/arcadem-rfi-sql-injection-flaws.html  
  
Discovered by: David Sopas Ferreira a.k.a SmOk3 < smok3f00 at gmail.com >  
  
Google dork:"Powered by AMCMS3"  
  
Remote File Inclusion  
---------------------  
It is possible for a remote attacker to include a file from local or  
remote resources and/or execute arbitrary script code with the  
privileges of the webserver.  
  
Proof of Concept:  
  
index.php?loadpage=../../../../file  
index.php?loadpage=[evilscript]  
  
Solution:  
  
Edit the source code to ensure that input is properly validated. Where  
is possible, it is recommended to make a list of accepted filenames  
and restrict the input to that list.  
  
For PHP, the option allow_url_fopen would normally allow a programmer  
to open, include or otherwise use a remote file using a URL rather  
than a local file path. It is recommended to disable this option from  
php.ini.  
  
  
SQL Injection  
-------------  
An attacker may execute arbitrary SQL statements on the vulnerable  
system. This may compromise the integrity of your database and/or  
expose sensitive information.  
  
Proof of Concept:  
  
index.php?blockpage=%2E%2Findex%2Ephp  
%3Fblockpage%3D1%26cat%3D&cat=[SQL Injection]  
index.php?blockpage=%2E%2Findex%2Ephp  
%3Fblockpage%3D1%26cat%3D&cat='  
  
  
Solution:  
  
Your script should filter metacharacters from user input.  
  
  
Vendor was contacted by email and didn't not replied.  
  
  
`