Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities
Elite CMS is a web content management system made for the peoples who don`t have much technical knowledge of HTML or PHP but know how to use a simple notepad with computer keyboard. Elite CMS Pro is a successor of the eliteCMS .
Elite CMS was made available free to public last year i.e. 2008. Since then i have received hundreds of appreciation email from the users of eliteCMS world wide. Some user of my eliteCMS want some more robust and powerful features. Due to the huge response from the users i have decided to write pro edition of eliteCMS.
All new features in pro edition of the eliteCMS is based on the feedbacks and suggestions made by users of eliteCMS - The Lightweight CMS. Some users suggested that eliteCMS should have multilevel menu navigation with sub pages support, some suggested multiple web forms support for cms pages, some want more flexible and easy to understand template system.
(Copy of the Homepage: http://elitecms.net/elitecmspro.php )
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Elite-Graphix `ElitCMS` v1.01 web-application.
2013-10-18: Public Disclosure (Vulnerability Laboratory)
Elite Graphix Product: ElitCMS - Web Application 1.01
1.1 A remote sql injection web vulnerability is detected in the official Elite-Graphix `ElitCMS` v1.01 web-application. The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the application dbms.
The vulnerability is located in the `page` value of the index.php file. Remote attackers are able to inject own sql commands in the page parameter GET method request to compromise the database management system or web-application. The issue is a classic order by sql injection vulnerability.
Exploitation of the sql injection web vulnerability requires no user interaction or privileged application user account. Successful exploitation of the sql injection bug results in database management system and web-application compromise.
Vulnerable Module(s): [+] Index
Vulnerable File(s): [+] index.php
Vulnerable Parameter(s): [+] page
1.2 A client-side post inject web vulnerability is detected in the official Elite Graphix ElitCMS v1.01 web-application. The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).
The vulnerability is located in the contact form module of the application in the name value parameter. Remote attackers can inject own malicious persistent script codes as name value in the contact form when processing to send via POST method. The script code execute occurs in the thanks page in the context of the echo name value.
Successful exploitation of the client-side POST inject web vulnerability results in session hijacking, client-side phishing, client-side unauthorized external redirects and client-side manipulation of the contact formular module context.
Vulnerable Module(s): [+] Contact Formular
Vulnerable File(s): [+] page
Vulnerable Parameter(s): [+] name
1.1 The sql injection web vulnerability can be exploited by remote attackers without privileged application user account and also without user interaction. For demonstration or to reproduce ...
PoC: #1 - Standard Edition http://elit.localhost:8080/elitecms/index.php?page=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--
--- DBMS SQL Exception Logs --- Database Query failed ! Check Database Settings. You have an error in your SQL syntax; Check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1''' at line 1
PoC: #2 - PRO Edition http://elit.localhost:8080/index.php?mpage=3&subpage=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--
--- DBMS SQL Exception Logs --- Database Query failed ! Check Database Settings. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '-'''' at line 1
1.2 The client-side post inject web vulnerability can be exploited by remote attackers without privileged application user account and with low or medium user interaction. For demonstration or reproduce ...
PoC: Thanks - (Page echo with vulnerable Name value)
<div id="content"> <h1>Contact Information</h1> <p id="eq3">Feel free to contact us with your feedbacks .<br><br>Use contact form below to send us quick email.<br></p> <div class="ctFrmHd">-: Contact Form :-</div> <span class="successMsg">Thank you dear <span>>"<<"<><>"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]"></span> your message has been send successfully.</span><form name="contactForm" method="post" action=""> <table width="419" border="0" cellpadding="8" cellspacing="0" id="contcatFormTbl"> <tr> <td width="88"> Name :</td> <td width="304"><input type="text" name="name" id="name" class="frmInput" value=">"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]>"/></td> </tr>
Note: As default the page=3 is available as contact formular but it can also be located in other module of the elit-cms.
1.1 The sql injection web vulnerability can be patched by the implement of a secure statement to the page value and index.php file. Also restrict the page value request and ensure the output is secure encoded. Disallow the display of sql debug/errors logs in the cms main context. Setup a own module to log sql errors in the acp.
1.2 The client-side post inject web vulnerability can be patched by a secure parse and encode of the name value in the post method request and the thanks page echo message.
1.1 The security risk of the sql injection web vulnerability is estimated as critical.
1.2 The security risk of the client-side post inject web vulnerability is estimated as low(+)|(-)medium.
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH)
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com Contact: email@example.com - firstname.lastname@example.org - email@example.com Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), modify, use or edit our material contact (firstname.lastname@example.org or email@example.com) to get a permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
-- VULNERABILITY LABORATORY RESEARCH TEAM DOMAIN: www.vulnerability-lab.com CONTACT: firstname.lastname@example.org