Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities

EDB-ID: 29034	CVE: N/A	OSVDB-ID: N/A
Author: Vulnerability-Lab	Published: 2013-10-18	Verified:
Exploit Code:	Vulnerable App:   N/A

Document Title:

===============

Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities

 

 

References (Source):

====================

http://www.vulnerability-lab.com/get_content.php?id=1117

 

 

Release Date:

=============

2013-10-18

 

 

Vulnerability Laboratory ID (VL-ID):

====================================

1117

 

 

Common Vulnerability Scoring System:

====================================

8.3

 

 

Product & Service Introduction:

===============================

Elite CMS is a web content management system made for the peoples who don`t have much technical knowledge of HTML or

PHP but know how to use a simple notepad with computer keyboard. Elite CMS Pro is a successor of the eliteCMS .

 

Elite CMS was made available free to public last year i.e. 2008. Since then i have received hundreds of appreciation

email from the users of eliteCMS world wide. Some user of my eliteCMS want some more robust and powerful features.

Due to the huge response from the users i have decided to write pro edition of eliteCMS.

 

All new features in pro edition of the eliteCMS is based on the feedbacks and suggestions made by users of eliteCMS

- The Lightweight CMS. Some users suggested that eliteCMS should have multilevel menu navigation with sub pages support,

some suggested multiple web forms support for cms pages, some want more flexible and easy to understand template system.

 

(Copy of the Homepage: http://elitecms.net/elitecmspro.php )

 

 

Abstract Advisory Information:

==============================

The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Elite-Graphix `ElitCMS` v1.01 web-application.

 

 

Vulnerability Disclosure Timeline:

==================================

2013-10-18:    Public Disclosure (Vulnerability Laboratory)

 

 

Discovery Status:

=================

Published

 

 

Affected Product(s):

====================

Elite Graphix

Product: ElitCMS - Web Application 1.01

 

 

Exploitation Technique:

=======================

Remote

 

 

Severity Level:

===============

Critical

 

 

Technical Details & Description:

================================

1.1

A remote sql injection web vulnerability is detected in the official Elite-Graphix `ElitCMS` v1.01 web-application.

The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the application dbms.

 

The vulnerability is located in the `page` value of the index.php file. Remote attackers are able to inject own sql

commands in the page parameter GET method request to compromise the database management system or web-application.

The issue is a classic order by sql injection vulnerability. 

 

Exploitation of the sql injection web vulnerability requires no user interaction or privileged application user account.

Successful exploitation of the sql injection bug results in database management system and web-application compromise.

 

 

Vulnerable Module(s):

                [+] Index

 

Vulnerable File(s):

                [+] index.php

 

Vulnerable Parameter(s):

                [+] page

 

 

 

1.2

A client-side post inject web vulnerability is detected in the official Elite Graphix ElitCMS v1.01 web-application.

The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).

 

The vulnerability is located in the contact form module of the application in the name value parameter. Remote attackers

can inject own malicious persistent script codes as name value in the contact form when processing to send via POST method.

The script code execute occurs in the thanks page in the context of the echo name value.

 

Successful exploitation of the client-side POST inject web vulnerability results in session hijacking, client-side phishing,

client-side unauthorized external redirects and client-side manipulation of the contact formular module context.

 

 

Vulnerable Module(s):

                [+] Contact Formular

 

Vulnerable File(s):

                [+] page

 

Vulnerable Parameter(s):

                [+] name

 

 

Proof of Concept (PoC):

=======================

1.1

The sql injection web vulnerability can be exploited by remote attackers without privileged application user account

and also without user interaction. For demonstration or to reproduce ...

 

PoC: #1 - Standard Edition

http://elit.localhost:8080/elitecms/index.php?page=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--

 

Solution - Fix & Patch:

=======================

1.1

The sql injection web vulnerability can be patched by the implement of a secure statement to the page value and index.php file.

Also restrict the page value request and ensure the output is secure encoded.

Disallow the display of sql debug/errors logs in the cms main context. Setup a own module to log sql errors in the acp.

 

1.2

The client-side post inject web vulnerability can be patched by a secure parse and encode of the name value in the post method request

and the thanks page echo message.

 

 

Security Risk:

==============

1.1

The security risk of the sql injection web vulnerability is estimated as critical.

 

1.2

The security risk of the client-side post inject web vulnerability is estimated as low(+)|(-)medium.

 

 

Credits & Authors:

==================

Vulnerability Laboratory [Research Team] - Katharin S. L. (CH)

 

 

Disclaimer & Information:

=========================

The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties,

either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-

Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business

profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some

states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation

may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases

or trade with fraud/stolen material.

 

Domains:    www.vulnerability-lab.com       - www.vuln-lab.com                 - www.evolution-sec.com

Contact:    admin@vulnerability-lab.com     - research@vulnerability-lab.com           - admin@evolution-sec.com

Section:    www.vulnerability-lab.com/dev   - forum.vulnerability-db.com               - magazine.vulnerability-db.com

Social:     twitter.com/#!/vuln_lab         - facebook.com/VulnerabilityLab            - youtube.com/user/vulnerability0lab

Feeds:      vulnerability-lab.com/rss/rss.php   - vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

 

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory.

Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other

media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and

other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed),

modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

 

                Copyright � 2013 | Vulnerability Laboratory 

[Evolution Security]

 

Full Article Please refer Original source

 http://www.exploit-db.com/exploits/29034/

 

--

VULNERABILITY LABORATORY RESEARCH TEAM

DOMAIN: www.vulnerability-lab.com

CONTACT: research@vulnerability-lab.com







Source: http://www.exploit-db.com/exploits/29034/