Falt4 CMS Security Report/Advisory

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <mesut@xxxxxxxxxx>
Subject: Falt4 CMS Security Report/Advisory
From: Mesut Timur <mesut@xxxxxxxxxx>
Date: Mon, 10 Dec 2007 15:40:43 +0000
Importance: Normal
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Sender: <mesut_timur@xxxxxxxxxxx>

                                                               H - Security Labs
                                        Falt4Extreme (RC4 10.9.2007) Security 
Report
                                                           ID : HSEC#20071012

General Information
--------------------------
Name                           : Falt4Extreme CMS (RC4 10.9.2007)
Vendor HomePage       :http://sourceforge.net/projects/falt4/
Platforms                     : PHP && MySQL
Vulnerability Type       : Input Validation Errors

Disclosure Timeline
-------------------------
04 December  2007  -- Vendor Contacted 
04 December  2007  -- Vendor Replied
05 December  2007  -- Fix Released 
10 December  2007  -- Pulic Disclosure

What is Falt4Extreme
------------------------
Falt4 CMS is a business approved Content Management System (CMS) under the 
LGPL. The CMS is feature-rich and has a clean administration area. The ultimate 
CMS with functions for the professional, usable by everyone.CMS modules are 
available.

Overview of Vulnerabilities
------------------------
The script is vulnerable to both of XSS and Blind SQL Injection attacks.

Details of Vulnerabilities
------------------------
1-Blind SQL Injection Vulnerability:
http://www.EXAMPLE.com/falt4/
index.php?handler=cat&nav_ID=1'%20and%20'1'='1
nav_ID parameter is not sanitized properly and can be used for Blind SQL 
Injection attacks.
2-Cross Site Scripting Vulnerabilities
i.http://www.EXAMPLE.com/falt4/
index.php?handler=>">&nav_ID=1
Input passed to the 'handler' parameter is not sanitized properly before using 
and can be used malicious people to perform XSS attacks.

ii .http://www.EXAMPLE.com/falt4/
modules/feed/feed.php?type=rss&lang=1&topic=>">
Input passed to the 'topic' parameter is not sanitized properly before using 
and can be used malicious people to perform XSS attacks.

Solution
-----------------------
Re-download falt4 from sourceforge:
http://downloads.sourceforge.net/falt4/falt4extreme.zip?use_mirror=osdn
Replace these files:
/yourfalt4/index.php
/yourfalt4/modules/feed.php
/yourfalt4/admin/index.php
-----------------------

The vulnerabilities found on 04 December 2007
by Mesut Timur 
H - Security Labs , http://www.h-labs.org
Gebze Institute of Technology, 
Department of Computer Engineering, http://www.gyte.edu.tr

References
-----------------------
Vendor Confirmation : http://sourceforge.net/forum/forum.php?forum_id=762931
Original Advisory : 
http://www.h-labs.org/blog/2007/12/05/falt4_cms_security_report_advisory.html
Project Site : http://sourceforge.net/projects/falt4/
Me : http://www.h-labs.org
_________________________________________________________________
Your smile counts. The more smiles you share, the more we donate.  Join in.
www.windowslive.com/smile?ocid=TXT_TAGLM_Wave2_oprsmilewlhmtagline

Prev by Date: SQL injection - GestDownV1.00Beta
Next by Date: [ GLSA 200712-08 ] AMD64 x86 emulation Qt library: Multiple vulnerabilities
Previous by thread: SQL injection - GestDownV1.00Beta
Next by thread: [ GLSA 200712-08 ] AMD64 x86 emulation Qt library: Multiple vulnerabilities
Index(es):
- Date
- Thread