Jaow - exploit.company

vendor:

Jaow CMS

by:

kallimero

7.5

CVSS

HIGH

Blind SQL Injection

CWE

Product Name: Jaow CMS

Affected Version From: 2.4.2005

Affected Version To: 2.4.2005

Patch Exists: YES

Related CWE:

CPE:

Metasploit:

Other Scripts:

Platforms Tested: Debian GNU/Linux

2012

Jaow <= 2.4.5 Blind Sql Injection

A blind SQL injection vulnerability exists in the 2.4.5 core of Jaow. The vulnerable page is add_ons.php, where the add_ons variable is not properly sanitized before being used in an SQL query. An attacker can exploit this vulnerability by injecting malicious SQL code into the add_ons parameter. This can lead to unauthorized access to the database.

Mitigation:

Update to the latest version of Jaow (2.4.5) available at http://www.jaow.net/Article-97. Additionally, sanitize user input before using it in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: Jaow <= 2.4.5 Blind Sql Injection
# Google Dork: intext:"propuls� par jaow 2.4.5"
# Date: 23/05/2012
# Software Link: http://www.jaow.net/telechargements/Jaow_V2.4.5.zip
# Version: 2.4.5
# Tested on: Debian GNU/Linux
# Author: kallimero


= Introduction =


Jaow is a CMS that can manage sites of small sizes, thanks to its simple,
commented code you can easily create templates and / or create modules to
suit your needs. Jaow is the solution for small sites, blogs or portfolio.

= Details =

Unfortunately, a Blind SQL injection is possible in the 2.4.5 core.

Vulnerable page : add_ons.php
Extract from the source :

-------------[ add_ons.php ]--------------
   // On stocke dans une variable simple le add_on demand�
    $add_on = stripslashes($_GET['add_ons']);

    // On recherche si l'add_on est install�

    echo 'SELECT id,nom FROM '.$db_prefix.'add_ons WHERE nom="'.$add_on.'"
AND actif="1"';

    $query_add_ons = mysql_query('SELECT id,nom FROM '.$db_prefix.'add_ons
WHERE nom="'.$add_on.'" AND actif="1"');

-------------[ add_ons.php ]--------------

So, we can inject sql with the add_ons variable, like that :
http://[site]/[path]/add_ons.php?add_ons=[SQL injection]


= Solutions =

Update is avalaible here : http://www.jaow.net/Article-97


= Thanks =

Thanks to  necromoine, fr0g, st0rn, applestorm, Zhyar, k3nz0, m4ke and all
hwc-crew members. http://hwc-crew.com/
And all npn members. http://n-pn.info/