what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

chillyCMS 1.1.3 SQL Injection / Cross Site Scripting

chillyCMS 1.1.3 SQL Injection / Cross Site Scripting
Posted Sep 6, 2010
Authored by AmnPardaz Security Research Team | Site bugreport.ir

chillyCMS version 1.1.3 suffers from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 62c5eca9056d5594ea4c48543b57df55bb886ef623345260a6f6e211851ff6b8

chillyCMS 1.1.3 SQL Injection / Cross Site Scripting

Change Mirror Download
##########################www.BugReport.ir########################################
#
# AmnPardaz Security Research Team
#
# Title: chillyCMS Multiple Vulnerabilities
# Vendor: http://frozenpepper.de/
# Vulnerable Version: 1.1.3 (Latest version till now)
# Exploitation: Remote with browser
# Fix: N/A
###################################################################################

####################
- Description:
####################

chillyCMS is a Content Management System. Its main features are:
easily edit your content in a WYSIWYG editor,
manage your users in different groups with different rights, upload
single files or whole zip archives,
insert your pictures into the content by drag and drop, one click
backup with integrated installer,
extend your cms with various modules, see which articles are most
popular in the statistics.


####################
- Vulnerability:
####################

+--> SQL Injection
The username, in the login form, is one-parenthesis single-quoted
injectable. For details check
the PoC section.

+--> Reflective XSS
Whenever login failed, the username will be printed without
sanitizing on the main page. This could
be used for executing any JavaScript code.

####################
- Exploits/PoCs:
####################

+--> Exploiting The (MySQL) SQL Injection Vulnerability:
Simply go to the login page at
'victim.com/chillyCMS/core/show.site.php' and use
the following vector for injecting arbitrary queries:
') or $THE_QUERY or 1=('
For example you may use following vector for extracting the pw field
(for password) of the admin user
admin')and substr(pw,I,1)=('C
replacing the I with the index of char in a loop and C with different
characters of it. If the query result
was true, username will be accepted and wrong password error will be
shown. If the query result was false,
then username will be rejected and the wrong username error will be
shown. Allowing blind SQL injection
to be performed.

+--> Exploiting The Reflective XSS Vulnerability:
Use the following sample vector in the username field of the login
page (or any other valid JavaScript
code) => username: <script>alert('XSS')</script>

####################
- Solution:
####################

White-list the input parameters before using them in the SQL queries,
removing any ', \, ( characters
or more simply restrict the parameters' length to a small length.

####################
- Credit:
####################
AmnPardaz Security Research & Penetration Testing Group
Contact: admin[4t}bugreport{d0t]ir
www.BugReport.ir
www.AmnPardaz.com

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close