Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Web :: CMS / Portals :: b06-4986.htm

ConPresso CMS - Multiple Cross Site Scripting and SQL Injection Issues



ConPresso CMS - Multiple Cross Site Scripting and SQL Injection Issues
ConPresso CMS - Multiple Cross Site Scripting and SQL Injection Issues



[MajorSecurity Advisory #28]ConPresso CMS - Multiple XSS and SQL Injection Issues=0D
=0D
Details=0D
========0D
Product: ConPresso CMS=0D
Affected Version: <=4.0.4a =0D
Immune Version: 4.0.5a=0D
Security-Risk: moderated=0D
Remote-Exploit: yes=0D
Vendor-URL: http://www.conpresso.com/=0D 
Vendor-Status: informed=0D
Advisory-Status: published=0D
=0D
Credits=0D
=============0D
Discovered by: David Vieira-Kurz=0D
http://www.majorsecurity.de=0D 
=0D
Original Advisory:=0D
=============0D
http://www.majorsecurity.de/index_2.php?major_rls=major_rls28=0D 
=0D
Introduction=0D
=============0D
ConPresso CMS is a well known content management system.=0D
=0D
More Details=0D
=============0D
XSS:=0D
Input passed directly to the "nr" parameter in "detail.php", the "msg" parameter in "db_mysql.inc.php" and the "pos" parameter in "index.php" is not properly sanitised before being returned to the user.=0D
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.=0D
=0D
SQL injection:=0D
Input passed directly to the "nr" parameter in "index.php" is not properly sanitised before being used in a SQL query.=0D
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.=0D
=0D
Fix=0D
====0D
Upgrade to newest version(4.0.5a)=0D
=0D
Solution=0D
==============0D
Edit the source code to ensure that input is properly sanitised.=0D
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags=0D
are not going to be executed. You should also work with the  "mysql_real_escape_string()" or "addslashes()" php-function to ensure that sql statements=0D
can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the=0D
"php.ini" on your webserver.=0D
=0D
Example:=0D
=0D
=0D
History/Timeline=0D
=================0D
30.07.2006  discovery of the vulnerability=0D
02.08.2006  additional tests with other versions=0D
03.08.2006  contacted the vendor=0D
04.08.2006  the vendor contacted me(response)=0D
05.08.2006  vendor confirmed the bugs=0D
19.09.2006  new(fixed) version 4.0.5a is available=0D
26.09.2006  advisory is written=0D
29.09.2006  advisory released=0D
=0D
MajorSecurity=0D
========0D
MajorSecurity is a German penetration testing and hacking security project=0D
which consists of only one person at the present time.=0D
I am looking for a partnership.=0D
You can find more Information on the MajorSecurity Project at=0D
http://www.majorsecurity.de/ 


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH