====================================================================== 

                     Secunia Research 29/12/2009

              - AproxEngine Multiple Vulnerabilities -

====================================================================== 
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software 

* AproxEngine 5.3.04
* AproxEngine 6.0

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity 

Rating: Moderately critical
Impact: SQL Injection
        Cross-Site Scripting
        Manipulation of Data
        Spoofing
Where:  Remote

====================================================================== 
3) Vendor's Description of Software 

"Die APROXEngine ist ein von uns entwickeltes Content-Management-
System(CMS). Einfach gesagt, ist ein CMS ein Baukastensystem zur 
Erstellung, Wartung, Verwaltung von Internetseiten."

Product Link:
http://www.aprox.de/

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered some vulnerabilities in AproxEngine, 
which can be exploited by malicious users to manipulate certain data, 
conduct spoofing, SQL injection, and script insertion attacks and by 
malicious people to conduct SQL injection and script insertion 
attacks.

1) Input passed via the "login" parameter to index.php is not properly
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "login" and "password" parameters to index.php
is not properly sanitised before being displayed to the user. This can
be exploited to insert arbitrary HTML and script code, which will be 
executed in a user's browser session in context of an affected site 
when the malicious data is being viewed.

3) Input passed via the "art" parameter to index.php is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed via the "Referer" HTTP header to index.php is not 
properly sanitised before being used in an SQL query. This can be 
exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed to the "datei" parameter in /engine/inc/
galerie_unlink.php is not properly verified before being used to 
delete image files. This can be exploited to delete arbitrary files 
via directory traversal attacks.

Successful exploitation of this vulnerability requires administrative 
privileges.

6) Input passed to the "del_verz" parameter in /engine/inc/
galerie_del_verz.php is not properly verified before being used to 
delete galleries. This can be exploited to delete arbitrary 
directories via directory traversal attacks.

Successful exploitation of this vulnerability requires administrative 
privileges.

7) Input passed via the "from" parameter to index.php (when "page" is 
set to "sql_postfach" and "action" is set to "new") is not properly 
verified before being used to send mails to users. This can be 
exploited to e.g. spoof mails from the administrator.

8) Input passed via the "to", "betreff", and "elm1" parameters to 
index.php (when "page" is set to "sql_postfach" and "action" is set to 
"new") is not properly sanitised before being used in an SQL query. 
This can be exploited to manipulate SQL queries by injecting arbitrary 
SQL code.

9) Input passed via various parameters to index.php (when "page" is 
set to "sql_profil" and "action" is set to "list") is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability on version 6.0 requires 
administrative privileges.

10) Input passed via the "generator", "author", "description", and 
"keywords" parameters to index.php (when "page" is set to 
"user_html_ed" and "action" is set to "open") is not properly 
sanitised before being used in an SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

11) Input passed via the "generator", "author", "description", and 
"keywords" parameters to index.php (when "page" is set to 
"user_html_ed" and "action" is set to "open") is not properly 
sanitised before being displayed to the user. This can be exploited 
to insert arbitrary HTML and script code, which will be executed in a
user's browser session in context of an affected site when the 
malicious data is being viewed.

12) Input passed via the "mail" parameter to index.php (when "page" is 
set to "sql_profil" and "action" is set to "list") is not properly 
sanitised before being displayed to the user. This can be exploited to 
insert arbitrary HTML and script code, which will be executed in a 
user's browser session in context of an affected site when the 
malicious data is being viewed.

Successful exploitation of this vulnerability on version 6.0 requires 
administrative privileges.

13) Input passed via the "betreff" parameter to index.php (when "page" 
is set to "sql_postfach" and "action" is set to "new") is not properly 
sanitised before being displayed to the user. This can be exploited to 
insert arbitrary HTML and script code, which will be executed in a 
user's browser session in context of an affected site when the 
malicious data is being viewed.

The vulnerabilities are confirmed in versions 5.3.04 and 6.0. Other
versions may also be affected.

NOTE: Successful exploitation of all vulnerabilities except #5 and #6 
requires that "magic_quotes_gpc" is disabled.

====================================================================== 
5) Solution 

Ensure that "magic_quotes_gpc" is enabled and grant only trusted users
administrative access to the application.

====================================================================== 
6) Time Table 

04/12/2009 - Vendor notified.
23/12/2009 - Vendor notified again (2nd attempt).
29/12/2009 - Public disclosure.

====================================================================== 
7) Credits 

Discovered by Chaitanya Sharma, Secunia.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has not 
currently assigned any CVE identifiers for these vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2009-2/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================