exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Blue Moon Security Advisory 2009-03

Blue Moon Security Advisory 2009-03
Posted Feb 25, 2009
Authored by Nam Nguyen | Site bluemoon.com.vn

OpenSite CMS version 2.1 suffers from multiple remote SQL injection vulnerabilities.

tags | advisory, remote, vulnerability, sql injection
SHA-256 | c722fda3e8d9046bc13f4a29deb7de00b07b0eb7f9f064bf5b3d32603fe3a893

Blue Moon Security Advisory 2009-03

Change Mirror Download
BLUE MOON SECURITY ADVISORY 2009-03
===================================


:Title: Multiple vulnerabilities in OpenSite v2.1
:Severity: Critical
:Reporter: Blue Moon Consulting
:Products: OpenSite v2.1
:Fixed in: to be fixed in 3.0


Description
-----------

OpenSite is an Open Source Content Management System powered by PHP5 and MySQL 4 and is extremely simple and lightweight.

We have discovered six vulnerabilities in OpenSite from authentication bruteforce to SQL injection. Except the first vulnerability rated at critical severity, the rest is of low severity.

1. Weakened authentication.

The function ``init`` in ``origin/libs/user.php`` checks for a matching ``origin_hash`` cookie. However, this cookie can be bruteforced in at most 2^32 tries for a known username. In reality, the number of attempts could be greatly reduced knowing that we do not have to check for time in the future, and long past.

2. Special characters such as quotes, double quotes, backslashes in password prevent users from logging in.

In ``modules/userregister/index.php``, the argument passed to ``$user->register`` contains and escaped ``$_POST['password']``. In ``origin/libs/user.php``, this password is hashed with ``sha1``. However, the function ``login`` does not escape the POST data before hashing it, causing inconsistency.

3. Double escapes in user registraion.

In ``origin/libs/user.php``, the register function escapes all key=>value pairs before inserting them into the database. However, ``username``, ``password``, and ``email`` have been escaped before being passed to this function. Therefore they are escaped twice.

4. SQL injection in admincp/includes/functions.php.

SQL injection in function ``haspermission``. The parameters ``$module`` and ``$section`` are not escaped. This function is called in ``admincp/usergroups.php``.

5. SQL injection in ``admincp/settings.php``.

SQL injection in processing ``$_POST['do'] == "save"``. The POST data ``settings`` are not properly escaped before saving.

6. SQL injection in ``admincp/usergroups.php``.

SQL injection in all permissions select command ``SELECT id,module,section,groups FROM permissions WHERE module='".$module."' AND section='".$section."' LIMIT 1"``. The POST data ``permissions`` are not properly escaped before use.

Workaround
----------

There is no workaround.

Fix
---

These bugs are planned to be fixed in OpenSite v3.0.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

February 24, 2009: Initial contact sent to Jack Polgar.

:Vendor response:

February 24, 2009: Jack replied asking for technical details.

:Further communication:

February 24, 2009: Technical details were sent to Jack, and confirmation was requested.

February 24, 2009: Jack confirmed all problems and stated "most or all of them will be fixed in the next release".

February 24, 2009: Prepared advisory is sent to Jack to co-ordinate the public release.

:Public disclosure: February 25, 2009

:Exploit code: No exploit code is provided.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

Cheers
--
Nam Nguyen
Blue Moon Consulting Co., Ltd
http://www.bluemoon.com.vn
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close