Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

chillyCMS 1.1.3 Multiple Vulnerabilities

🗓️ 27 Aug 2010 00:00:00Reported by indoushkaType 
zdt
 zdt🔗 0day.today👁 27 Views

chilleyCMS 1.1.3 Multiple Vulnerabilities, including SQL Injection and Reflective XS

Code
========================================
chillyCMS 1.1.3 Multiple Vulnerabilities
========================================


1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    #######################################           1
0                    I'm indoushka member from Inj3ct0r Team           1
1                    #######################################           0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

######################################################################## 

# Vendor:  http://www.mnzo3.com/vb/

# Date: 2010-05-27 

# Author : indoushka 

# R.I.P : www.Milw0rm.com,www.Tryag.cc,www.dz-security.com ! 

# Contact : 00213771818860

# Home : www.is3cur1ty.com

# Bug  : Mullti

# Tested on : windows SP2 Fran?ais V.(Pnx2 2.0) 
######################################################################## 
                                                                                ####################
- Description:
####################
 
chillyCMS is a Content Management System. Its main features are: 
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload 
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click 
backup with integrated installer,
extend your cms with various modules, see which articles are most 
popular in the statistics.
 
 
####################
- Vulnerability:
####################
 
+--> SQL Injection
    The username, in the login form, is one-parenthesis single-quoted 
injectable. For details check
    the PoC section.
 
+--> Reflective XSS
    Whenever login failed, the username will be printed without 
sanitizing on the main page. This could
    be used for executing any JavaScript code.
 
####################
- Exploits/PoCs:
####################
 
+--> Exploiting The (MySQL) SQL Injection Vulnerability:
    Simply go to the login page at 
'victim.com/chillyCMS/core/show.site.php' and use
    the following vector for injecting arbitrary queries:
        ') or $THE_QUERY or 1=('
    For example you may use following vector for extracting the pw field 
(for password) of the admin user
        admin')and substr(pw,I,1)=('C
    replacing the I with the index of char in a loop and C with different 
characters of it. If the query result
    was true, username will be accepted and wrong password error will be 
shown. If the query result was false,
    then username will be rejected and the wrong username error will be 
shown. Allowing blind SQL injection
    to be performed.
 
+--> Exploiting The Reflective XSS Vulnerability:
    Use the following sample vector in the username field of the login 
page (or any other valid JavaScript
    code) => username:      <script>alert('XSS')</script>
 
####################
- Solution:
####################
 
White-list the input parameters before using them in the SQL queries, 
removing any ', \, ( characters
or more simply restrict the parameters' length to a small length.
                                        

Reinstall Script :

1 - http://127.0.0.1/chillyCMS/installation/step2.site.php?installlang=en

CRLF injection/HTTP response splitting :

Vulnerability description:

This script is possibly vulnerable to CRLF injection attacks. 

HTTP headers have the structure "Key: Value", where each line is separated by the CRLF combination. If the user input is injected into the value section without properly escaping/removing CRLF characters it is possible to alter the HTTP headers structure.
HTTP Response Splitting is a new application attack technique which enables various new attacks such as web cache poisoning, cross user defacement, hijacking pages with sensitive user information and cross-site scripting (XSS). The attacker sends a single HTTP request that forces the web server to form an output stream, which is then interpreted by the target as two HTTP responses instead of one response. 

Affected items:

/chillyCMS/admin/index.php 

The impact of this vulnerability:

Is it possible for a remote attacker to inject custom HTTP headers. For example, an attacker can inject session cookies or HTML code. This may conduct to vulnerabilities like XSS (cross-site scripting) or session fixation. 

How to fix this vulnerability:

You need to restrict CR(0x13) and LF(0x10) from the user input or properly encode the output in order to prevent the injection of custom HTTP headers. 

Backup File :

3 - http://127.0.0.1/chillyCMS/backup/files/

Dz-Ghost Team ===== Saoucha * Star08 * Cyber Sec * theblind74 * XproratiX * onurozkan * n2n * Meher Assel ===========================
special thanks to : r0073r (inj3ct0r.com) * L0rd CruSad3r * MaYur * MA1201 * KeDar * Sonic * gunslinger_ * SeeMe * RoadKiller 
Sid3^effects * aKa HaRi * His0k4 * Hussin-X * Rafik * Yashar * SoldierOfAllah * RiskY.HaCK * Stake * r1z * D4NB4R * www.alkrsan.net 
MR.SoOoFe * ThE g0bL!N * AnGeL25dZ * ViRuS_Ra3cH * Sn!pEr.S!Te 
---------------------------------------------------------------------------------------------------------------------------------
chillyCMS ©2008 - 2010 Stefanie Wiegand & Johannes Cox



#  0day.today [2018-01-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
27 Aug 2010 00:00Current
7.1High risk
Vulners AI Score7.1
content management systemsql injectionreflective xssexploitssecurity solution
27