Get in touch

Aoop CMS 0.3.6 SQL Injection / Cross Site Scripting

Aug 24, 2012 · By Julien Ahrens

ADVISORY INFORMATION

  • Product: Aoop CMS
  • Vendor URL: https://www.annonyme.de
  • CWE: Cross-site Scripting [CWE-79], SQL-Injection [CWE-89]
  • Date found: 2012-04-07
  • Date published: 2012-08-24
  • CVSS Score: 7,5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) (highest)
  • CVE: -

CREDITS

The vulnerabilities were discovered and researched by Julien Ahrens from Inshell Security.

VERSIONS AFFECTED

Aoop CMS v0.3.6, older versions may be affected too.

INTRODUCTION

N/A

VULNERABILITY DETAILS

Aoop CMS v0.3.6 is affected by multiple SQL-Injection and Cross-Site Scripting vulnerabilites.

SQL-Injection Vulnerabilities

Pre-Auth:

/index.php?print=download&page=Photos&sub=loadAndShowPhoto&picId=[SQLi]

Post-Auth:

/index.php?page=users&sub=readMessage&msgId=[SQLi]
/index.php?page=users&sub=newMessage&messageId=[SQLi]
/index.php?page=users&sub=deleteMessage&messageId=[SQLi]
/index.php?page=EProjects&sub=editRFC&rfcId=[SQLi]&projectId=18

Due to improper input - validation of these GET parameters, an attacker could inject own arbitrary SQL statements without or with required authentication. Successful exploitation of these vulnerabilities could result in a complete database / web-application compromise or data theft.

Cross-Site Scripting Vulnerabilities

Non-Persistent (GET):

/index.php?page=Photos&sub=search&pattern="><script>alert(String.fromCharCode(88,83,83))</script>

Non-Persistent (POST):

/index.php?page=Photos&sub=search (Field:
"Pattern",payload="><script>alert(1)</script>)

Due to improper input - validation of these GET/POST parameters, an attacker could temporarily inject arbitrary code using required user interaction into the context of the website/current browser session. Successful exploitation of these vulnerabilities allows for example session hijacking or client side context manipulation.

Persistent:

/index.php?page=users&sub=extendUserProfile (Field:
"profileItemName", "profileItemValue">
/index.php?page=EProjects&sub=viewProject&projectId=18
(Field: "name","official_link")
/index.php?page=Photos&sub=uploadPic (Field: "Title")

Due to improper input - validation of these input fields, an attacker could permanently inject arbitrary code using an own registered user-account into the context of the website. Successful exploitation of these vulnerabilities allows for example session hijacking or server side context manipulation.

PROOF OF CONCEPT

SOLUTION

Update to v0.4 RC3

REPORT TIMELINE

  • 2012-04-07: Initial notification sent to vendor
  • 2012-04-08: Vendor Response / Feedback
  • 2012-07-29: Vendor releases v0.4 RC3 which fixes the vulnerabilities
  • 2012-08-24: Coordinated public release of advisory

REFERENCES

None