-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Etomite CMS 0.6.1.2 Multiple Vulnerabilities Severity : Medium risk Vendor : www.etomite.org Author : Alfredo Pesoli 'revenge' [--------------------------------------------------] [#] Description Etomite is a PHP Content Management System, more info can be found at vendor site. Etomite is vulnerable to a sql injection and a local file inclusion. [--------------------------------------------------] Vuln #1 : Sql Injection Impact : Admin credentials disclosure Exploit : http://www.0xcafebabe.it/sploits/etm_0612_sqlinj.pl The "id" parameter in "index.php" isn't properly sanitised before being used in a sql query, this can be exploited to manipulate existing SQL query by inserting arbitrary SQL code, which can disclose sensitive information like admin credentials. Successful exploitation requires magic_quotes_gpc = off. The problem is due to: [ /path_to_etomite/index.php ] ... ... function getDocumentIdentifier($method) { // function to test the query and find the retrieval method switch($method) { case "alias" : return strip_tags($_REQUEST['q']); break; case "id" : ---> return strip_tags($_REQUEST['id']); <--- break; ... ... ... } } strip_tags can't filter some kind of characters and is used only to escape html/php tags, it is better to use another function to filter user input. [--------------------------------------------------] Vuln #2: Local File Inclusion / Remote Command Execution Impact : System Access, requires admin credentials Exploit: http://www.0xcafababe.it/sploits/etm_0612_remote_com.pl Input passed to the 'f' parameter in "/manager/index.php" isn't properly verified before being used to include files, this can be exploited to include local files on target host or execute command, need admin credentials to exploit this vuln. ... ... /********************************************************************/ /* frame management - show the requested frame */ /********************************************************************/ case "1" : // get the requested frame $frame=$_REQUEST['f']; if($frame>9) { $enable_debug=false; // this is to stop the debug thingy being attached to the framesets } - --> include_once "frames/".$frame.".php"; <-- break; ... ... [#] Workaround magic_quotes_gpc on will fix the first vulnerability (sql injection), for the second (local file inclusion) edit the source code to ensure that input is properly sanitised in ("/manager/index.php"). [#] Disclosure timeline 2006/10/30 Bugs discovered 2006/10/31 Vendor contacted, no response 2006/11/15 Public Disclosure Alfredo Pesoli 'revenge' -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFXF5UcLZvqfjeuvcRAgB6AJ9kMzmX+QAjqcxa4UdoniD4cuS9/gCfYbSE u32LGg7VcdedG29hYXqPclY= =MLnx -----END PGP SIGNATURE-----
