BugTraq
[MajorSecurity Advisory #28]ConPresso CMS - Multiple Cross Site Scripting and SQL Injection Issues Sep 29 2006 01:53PM
admin majorsecurity de
[MajorSecurity Advisory #28]ConPresso CMS - Multiple XSS and SQL Injection Issues

Details

=======

Product: ConPresso CMS

Affected Version: <=4.0.4a

Immune Version: 4.0.5a

Security-Risk: moderated

Remote-Exploit: yes

Vendor-URL: http://www.conpresso.com/

Vendor-Status: informed

Advisory-Status: published

Credits

============

Discovered by: David Vieira-Kurz

http://www.majorsecurity.de

Original Advisory:

============

http://www.majorsecurity.de/index_2.php?major_rls=major_rls28

Introduction

============

ConPresso CMS is a well known content management system.

More Details

============

XSS:

Input passed directly to the "nr" parameter in "detail.php", the "msg" parameter in "db_mysql.inc.php" and the "pos" parameter in "index.php" is not properly sanitised before being returned to the user.

This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

SQL injection:

Input passed directly to the "nr" parameter in "index.php" is not properly sanitised before being used in a SQL query.

This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Fix

===

Upgrade to newest version(4.0.5a)

Solution

=============

Edit the source code to ensure that input is properly sanitised.

You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags

are not going to be executed. You should also work with the "mysql_real_escape_string()" or "addslashes()" php-function to ensure that sql statements

can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the

"php.ini" on your webserver.

Example:

<?php

$pass = htmlentities($_POST['pass']);

$test = htmlspecialchars($_GET('test'));

$id = intval($_POST['id']);

?>

History/Timeline

================

30.07.2006 discovery of the vulnerability

02.08.2006 additional tests with other versions

03.08.2006 contacted the vendor

04.08.2006 the vendor contacted me(response)

05.08.2006 vendor confirmed the bugs

19.09.2006 new(fixed) version 4.0.5a is available

26.09.2006 advisory is written

29.09.2006 advisory released

MajorSecurity

=======

MajorSecurity is a German penetration testing and hacking security project

which consists of only one person at the present time.

I am looking for a partnership.

You can find more Information on the MajorSecurity Project at

http://www.majorsecurity.de/

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus