Type packetstorm
Reporter dB
Modified 2008-01-22T00:00:00


                                            `PacerCMS Multiple Vulnerabilities (XSS/SQL).  
Product: PacerCMS  
Version: 0.6  
Date: 01/22/08  
- Introduction  
PacerCMS is a content management solution for student and non-daily  
community newspapers.  
- Details  
PacerCMS is susceptible to both persistent cross-site scripting and  
SQL injection attacks. An attacker could use the public  
'Write a Letter'(submit.php) form to send a message to the System  
Administrator or staff member containing Javascript. The name,  
headline, or text POST variables are not sufficiently sanitized.  
The system administrator of the CMS sees a list of submitted  
messages on siteadmin/index.php right after logging in. If an  
attacker sends a message containing Javascript in the name or  
headline then the code will be run as soon as the admin logs in.  
This could lead to a staff member's session being hijacked.  
Multiple siteadmin pages are vulnerable to SQL injection. Access to  
these pages are restricted to staff members.  
- siteadmin/article-edit.php  
- siteadmin/submitted-edit.php  
- siteadmin/page-edit.php  
- siteadmin/section-edit.php  
- siteadmin/staff-edit.php  
- siteadmin/staff-access.php  
Example vulnerable code (article-edit.php)  
$id = $_GET["id"];  
$query = "SELECT * FROM cm_articles ";  
$query .= " WHERE id = $id";  
- Proof of Concept  
- Solution  
Authors were notified of security issues and responded quickly.  
Upgrade to the latest build (0.6.1).  
Author: dB  
Email: dB [at] rawsecurity ! org