GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit

2015-03-10T00:00:00
ID ZSL-2015-5232
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-03-10T00:00:00

Description

Title: GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
Advisory ID: ZSL-2015-5232
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 10.03.2015

Summary

GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work.

Description

Input passed via the 'page' GET parameter and the 'username' POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vendor

MetalGenix - <http://www.genixcms.org>

Affected Version

0.0.1

Tested On

nginx/1.4.6 (Ubuntu)
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[05.03.2015] Vulnerability discovered.
[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.

PoC

genixcms_sqli.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://blog.metalgenix.com/update-security-fix-and-add-newsletter-module/16>
[2] <https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815>
[3] <http://www.exploit-db.com/exploits/36321/>
[4] <http://osvdb.org/show/osvdb/119392>
[5] <http://osvdb.org/show/osvdb/119393>
[6] <http://cxsecurity.com/issue/WLB-2015030067>
[7] <http://packetstormsecurity.com/files/130770>
[8] <https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101498>
[9] <http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2679>
[10] <https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2679>

Changelog

[10.03.2015] - Initial release
[11.03.2015] - Added reference [4], [5], [6] and [7]
[13.03.2015] - Added reference [8]
[24.03.2015] - Added reference [9] and [10]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;