what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

ConPresso-4.0.4a.txt

ConPresso-4.0.4a.txt
Posted Oct 4, 2006
Authored by David Vieira-Kurz | Site majorsecurity.de

ConPresso CMS versions 4.0.4a and prior suffer from multiple cross site scripting and SQL injection flaws.

tags | advisory, xss, sql injection
SHA-256 | c41d3db8636e9f32928cd4ab0d505bdb2230d139acb0a530b82ed3b855c026b1

ConPresso-4.0.4a.txt

Change Mirror Download
[MajorSecurity Advisory #28]ConPresso CMS - Multiple XSS and SQL Injection Issues

Details
=======
Product: ConPresso CMS
Affected Version: <=4.0.4a
Immune Version: 4.0.5a
Security-Risk: moderated
Remote-Exploit: yes
Vendor-URL: http://www.conpresso.com/
Vendor-Status: informed
Advisory-Status: published

Credits
============
Discovered by: David Vieira-Kurz
http://www.majorsecurity.de

Original Advisory:
============
http://www.majorsecurity.de/index_2.php?major_rls=major_rls28

Introduction
============
ConPresso CMS is a well known content management system.

More Details
============
XSS:
Input passed directly to the "nr" parameter in "detail.php", the "msg" parameter in "db_mysql.inc.php" and the "pos" parameter in "index.php" is not properly sanitised before being returned to the user.
This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

SQL injection:
Input passed directly to the "nr" parameter in "index.php" is not properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Fix
===
Upgrade to newest version(4.0.5a)

Solution
=============
Edit the source code to ensure that input is properly sanitised.
You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that html tags
are not going to be executed. You should also work with the "mysql_real_escape_string()" or "addslashes()" php-function to ensure that sql statements
can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the
"php.ini" on your webserver.

Example:
<?php
$pass = htmlentities($_POST['pass']);
$test = htmlspecialchars($_GET('test'));
$id = intval($_POST['id']);
?>

History/Timeline
================
30.07.2006 discovery of the vulnerability
02.08.2006 additional tests with other versions
03.08.2006 contacted the vendor
04.08.2006 the vendor contacted me(response)
05.08.2006 vendor confirmed the bugs
19.09.2006 new(fixed) version 4.0.5a is available
26.09.2006 advisory is written
29.09.2006 advisory released

MajorSecurity
=======
MajorSecurity is a German penetration testing and hacking security project
which consists of only one person at the present time.
I am looking for a partnership.
You can find more Information on the MajorSecurity Project at
http://www.majorsecurity.de/
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    21 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close