primitive CMS 1.0.9 - Multiple Vulnerabilities

EDB-ID: 15064 CVE: 2010-3482... OSVDB-ID: 68154...
Verified: Author: Stephan Sattler Published: 2010-09-20
Download Exploit: Source Raw Download Vulnerable App:
# Exploit Title: Primitive CMS 1.0.9 Multiple Vulnerabilities
# Date: 20.09.2010
# Author: Stephan Sattler //
# Software Website:
# Software Link:
# Version: 1.0.9

[Vulnerability 1]

# Unauthorized Access

Url: http://[site]/[cmspath]/cms_write.php

In cms_write.php is no check if the user has administration rights.
Because of that, there are 2 more vulnerabilities.

[Vulnerability 2]

# Html Injection

Url: http://[site]/[cmspath]/cms_write.php

Vulnerable Code (cms_write.php line 13-25): 

$sql="INSERT INTO `prim_page` ( `id` , `title` , `content`, `menutitle` ) VALUES ('', '$title', '$content', '$menutitle')";

The title, Menu-title  and Content a user can submit are inserted directly into
the database and inserted in the html-code on the page without
and sanitizing at all.

Example for the Title: </title><h1>Testtitle</h1>
Example for the Menu-Title: </a><h2>Menutitle</h2>

[Vulnerability 3]

# Blind SQL-Injection // PoC

Url: http://[site]/[cmspath]/cms_write.php

Vulnerable Code (cms_write.php line 13-16):

$sqlcheck="SELECT * FROM prim_page WHERE title='$title' or menutitle='$menutitle' ";

Postdata for Injection: title=&menutitle=home' AND (SELECT 1)='1&content=&submit=OK
One can inject via title or menutitle, both are vulnerable. On success, you'll see the message: "H selida yparxei"