QuickBlog v0.8 CMS - Multiple Web Vulnerabilities

2012-05-12T00:00:00
ID 1337DAY-ID-18241
Type zdt
Reporter snup
Modified 2012-05-12T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Title:
======
QuickBlog v0.8 CMS - Multiple Web Vulnerabilities

Introduction:
=============
QuickBlog est un gestionnaire de weblog ecrit en PHP4 compatible PHP5 et MySQL compatible MySQLi multi utilisateur multi 
langue multi theme Il est tres simple et tres lege Il utilise un editeur WYSIWYG TinyMCE avec possibilite d annexe 

(Copy of the Vendor Homepage:  http://www.comscripts.com/scripts/php.quickblog.2256.html )

Details:
========
1.1
Multiple remote SQL Injection vulnerabilities are detected in QuickBlog v0.8 CMS. The vulnerability 
allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the 
affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. 
The vulnerabilities are located on the application post requests of gestionpost & fct_affiche.inc.


Vulnerable Module(s): 
			[+] admin/gestionpost.php
 			[+] include/fct_affiche.inc.php

1.2
Multiple persistent input validation vulnerabilities are detected in QuickBlog v0.8 CMS. The bugs allow 
remote attackers to implement/inject malicious script code on the application side (persistent). Successful 
exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context 
manipulation. Exploitation requires low user inter action & privileged user account. 

Vulnerable Module(s): 
			[+] recherche.php
			[+] commentaire/form.php
			[+] admin/samplemodifieddata.php
			[+] admin/sampleposteddata.php

Solution:
=========
In file: admin/gestionpost.php
In lines 85 - 89:

                if(isset($_GET[`page`]))
                {
                    $page = $_GET[`page`];
                    $page = $page - 1;
                }

edit:

                if(isset($_GET[`page`]))
                {
                    $page = (int)$_GET[`page`];
                }

In file: include/fct_affiche.inc.php
In lines 56 - 59:

                if(isset($_GET[`page`]))
                {
                    $page = $_GET[`page`];
                    $page = $page - 1;
                }

edit:

                if(isset($_GET[`page`]))
                {
                    $page = (int)$_GET[`page`];
                }

In file: recherche.php
In lines 52 - 55:

                if (isset($_POST[``search``]))
                {
                    $mot = $_POST[``search``];
                }

edit:

                if (isset($_POST[``search``]))
                {
                    $mot = htmlspecialchars(strip_tags($_POST[``search``]));
                }

In file: commentaire/form.php
In lines 41:

               $nom=$_POST[``nom``];

edit:

               $nom= htmlspecialchars(strip_tags($_POST[``nom``]));

In file: admin/samplemodifieddata.php
In lines 47:

               $titre = $_POST[``title``];

edit:

               $titre = htmlspecialchars(strip_tags($_POST[``title``]));

In file: admin/sampleposteddata.php
In lines 38:

              $titre = $_POST[``title``];

edit:

              $titre = htmlspecialchars(strip_tags($_POST[``title``]));



#  0day.today [2018-01-03]  #