PacerCMS Multiple Vulnerabilities (XSS/SQL). -------------------------------------------------------- Product: PacerCMS Version: 0.6 Vendor: http://pacercms.sourceforge.net/ Date: 01/22/08 - Introduction PacerCMS is a content management solution for student and non-daily community newspapers. - Details PacerCMS is susceptible to both persistent cross-site scripting and SQL injection attacks. An attacker could use the public 'Write a Letter'(submit.php) form to send a message to the System Administrator or staff member containing Javascript. The name, headline, or text POST variables are not sufficiently sanitized. The system administrator of the CMS sees a list of submitted messages on siteadmin/index.php right after logging in. If an attacker sends a message containing Javascript in the name or headline then the code will be run as soon as the admin logs in. This could lead to a staff member's session being hijacked. Multiple siteadmin pages are vulnerable to SQL injection. Access to these pages are restricted to staff members. - siteadmin/article-edit.php - siteadmin/submitted-edit.php - siteadmin/page-edit.php - siteadmin/section-edit.php - siteadmin/staff-edit.php - siteadmin/staff-access.php Example vulnerable code (article-edit.php) $id = $_GET["id"]; ... $query = "SELECT * FROM cm_articles "; $query .= " WHERE id = $id"; - Proof of Concept http://[site]/pacercms/siteadmin/article-edit.php?id=[SQL] - Solution Authors were notified of security issues and responded quickly. Upgrade to the latest build (0.6.1). Author: dB Email: dB [at] rawsecurity ! org