MAXDEV CMS Multiple vulnerabilities

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: MAXDEV CMS Multiple vulnerabilities
From: king_purba@xxxxxxxxxxx
Date: 6 Apr 2006 18:02:46 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Full Path disclosure
---------------------
This hole is caused by direct access to file includes/legacy.php not protected

PoC :
http://site.co.id/maxdev/includes/legacy.php

Fix :
Turn off display error in php.ini can fix this security issue

Blind sql inject
-----------------
This hole is caused by filtered script not implemented to $topicid variable in 
file modules/Topics/pnuserapi.php

PoC :
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=0
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=1

Fix :
Maxdev cms have a filtered script to protect all request but i'm so lazy to 
analyze the code, then i just add this code 
in modules/Topics/pnuserapi.php

if(isset($_GET['topicid']))
{
        $topicid=$_GET['topicid'];
        validate($topicid);
}
function validate($char)
{
        if(!is_numeric($char))
        {
                die("i have received an error request");
        }
}

Prev by Date: [ GLSA 200604-05 ] Doomsday: Format string vulnerability
Next by Date: [SECURITY] [DSA 1018-2] New Linux kernel 2.4.27 packages fix several vulnerabilities
Previous by thread: [ GLSA 200604-05 ] Doomsday: Format string vulnerability
Next by thread: Re: MAXDEV CMS Multiple vulnerabilities
Index(es):
- Date
- Thread