pacercms-sqlxss.txt

`PacerCMS Multiple Vulnerabilities (XSS/SQL).  
--------------------------------------------------------  
  
Product: PacerCMS  
Version: 0.6  
Vendor: http://pacercms.sourceforge.net/  
Date: 01/22/08  
  
- Introduction  
  
PacerCMS is a content management solution for student and non-daily  
community newspapers.  
  
- Details  
  
PacerCMS is susceptible to both persistent cross-site scripting and  
SQL injection attacks. An attacker could use the public  
'Write a Letter'(submit.php) form to send a message to the System  
Administrator or staff member containing Javascript. The name,  
headline, or text POST variables are not sufficiently sanitized.  
  
The system administrator of the CMS sees a list of submitted  
messages on siteadmin/index.php right after logging in. If an  
attacker sends a message containing Javascript in the name or  
headline then the code will be run as soon as the admin logs in.  
This could lead to a staff member's session being hijacked.  
  
Multiple siteadmin pages are vulnerable to SQL injection. Access to  
these pages are restricted to staff members.  
  
- siteadmin/article-edit.php  
- siteadmin/submitted-edit.php  
- siteadmin/page-edit.php  
- siteadmin/section-edit.php  
- siteadmin/staff-edit.php  
- siteadmin/staff-access.php  
  
Example vulnerable code (article-edit.php)  
$id = $_GET["id"];  
...  
$query = "SELECT * FROM cm_articles ";  
$query .= " WHERE id = $id";  
  
- Proof of Concept  
  
http://[site]/pacercms/siteadmin/article-edit.php?id=[SQL]  
  
- Solution  
  
Authors were notified of security issues and responded quickly.  
Upgrade to the latest build (0.6.1).  
  
Author: dB  
Email: dB [at] rawsecurity ! org  
  
  
`