ezContents CMS 2.0.3 Bypass / SQL Injection

`##########################www.BugReport.ir########################################  
#  
# AmnPardaz Security Research Team  
#  
# Title: ezContents CMS Multiple Vulnerabilities  
# Vendor: http://ezcontents.org/  
# Vulnerable Version: 2.0.3 (and prior versions)  
# Exploitation: Remote with browser  
# Fix: N/A  
###################################################################################  
  
####################  
- Description:  
####################  
  
ezContents is a nice PHP CMS which allow management of dynamic   
contents and web publishing.  
  
####################  
- Vulnerability:  
####################  
  
+--> SQL Injection  
Most of GET and POST parameters are not sanitized before being used in   
SQL query.  
  
Vulnerable Pages/Affected Parameters:  
- 'admin/adminlogin.php'/'login'  
- 'bannerclick.php'/'id'  
- 'comments.php'/'article'  
- 'control.php'/'topgroupname' and 'groupname'  
- 'headeruserdata.php'/'topgroupname' and 'groupname'  
- 'login.php'/'subgroupname' and 'groupname' and 'topgroupname' and 'login'  
- 'menu.php'/'groupname' and 'topgroupname'  
- 'module.php'/'topgroupname' and 'groupname'  
- 'modules/diary/m_diaryform.php'/'DiaryID'  
- 'modules/diary/showdiary.php'/'month' and 'year'  
- 'modules/diary/showdiarydetail.php'/'diaryid'  
- 'modules/gallery/m_galleryform.php'/'galleryID'  
- 'modules/gallery/showgallerydetails.php'/'galleryid'  
- 'modules/links/m_linksform.php'/'GuestbookID'  
- 'modules/guestbook/m_guestbookform.php'/'LinkID'  
- 'modules/modfunctions.php'/'topgroupname'  
- 'modules/news/m_news.php'/'NewsID'  
- 'modules/news/shownewsdetails.php'/'newsid'  
- 'modules/poll/m_pollform.php'/'PollID'  
- 'modules/poll/m_polloptiondel.php'/'PollOptionID'  
- 'modules/poll/m_polloptions.php'/'PollID'  
- 'modules/poll/m_polloptionsform.php'/'PollOptionID'  
- 'modules/reviews/m_reviewsform.php'/'reviewsID'  
- 'modules/reviews/showreviewdetails.php'/'reviewsid'  
- 'printer.php'/'article'  
- 'rateit.php'/'article'  
- 'selectsite.php'/'Site'  
- 'selecttheme.php'/'Theme'  
- 'showcontents.php'/'groupname' and 'subgroupname' and 'topgroupname'  
- 'showdetails.php'/'contentname'  
- 'userinfo.php'/'topgroupname'  
  
+--> Authentication Bypass  
Authentication Bypass in 'comments.php'. No check for login performed.  
  
  
####################  
- Exploits/PoCs:  
####################  
  
The admin password can be extracted using timing attack.  
The general SQL Injection vector for exploiting login page  
is:  
admin' AND IF(@Condition,BENCHMARK(1000000, md5(10)),2) OR '1'='1  
In the above vector @Condition can be replaced with any boolean  
experation and in case of true value page will have a sensible wait  
before starting transfer phase.  
For extracting password, we first find the length of password  
using 'length(userpassword)>**' as @Condition and binary search on  
** pass length.  
Then we can find i-th character of the password using  
"substring(userpassword,i,1) > '*'" as @Condition and binary search  
on the * as characters.  
  
####################  
- Solution:  
####################  
  
Edit the source code to ensure that inputs are properly sanitized.  
  
####################  
- Original Advisory:  
####################  
  
http://www.bugreport.ir/index_65.htm  
  
####################  
- Credit:  
####################  
AmnPardaz Security Research Team  
Contact: admin[4t}bugreport{d0t]ir  
www.BugReport.ir  
www.AmnPardaz.com  
`