====================================================================== Secunia Research 29/12/2009 - AproxEngine Multiple Vulnerabilities - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * AproxEngine 5.3.04 * AproxEngine 6.0 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately critical Impact: SQL Injection Cross-Site Scripting Manipulation of Data Spoofing Where: Remote ====================================================================== 3) Vendor's Description of Software "Die APROXEngine ist ein von uns entwickeltes Content-Management- System(CMS). Einfach gesagt, ist ein CMS ein Baukastensystem zur Erstellung, Wartung, Verwaltung von Internetseiten." Product Link: http://www.aprox.de/ ====================================================================== 4) Description of Vulnerability Secunia Research has discovered some vulnerabilities in AproxEngine, which can be exploited by malicious users to manipulate certain data, conduct spoofing, SQL injection, and script insertion attacks and by malicious people to conduct SQL injection and script insertion attacks. 1) Input passed via the "login" parameter to index.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed via the "login" and "password" parameters to index.php is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 3) Input passed via the "art" parameter to index.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 4) Input passed via the "Referer" HTTP header to index.php is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 5) Input passed to the "datei" parameter in /engine/inc/ galerie_unlink.php is not properly verified before being used to delete image files. This can be exploited to delete arbitrary files via directory traversal attacks. Successful exploitation of this vulnerability requires administrative privileges. 6) Input passed to the "del_verz" parameter in /engine/inc/ galerie_del_verz.php is not properly verified before being used to delete galleries. This can be exploited to delete arbitrary directories via directory traversal attacks. Successful exploitation of this vulnerability requires administrative privileges. 7) Input passed via the "from" parameter to index.php (when "page" is set to "sql_postfach" and "action" is set to "new") is not properly verified before being used to send mails to users. This can be exploited to e.g. spoof mails from the administrator. 8) Input passed via the "to", "betreff", and "elm1" parameters to index.php (when "page" is set to "sql_postfach" and "action" is set to "new") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 9) Input passed via various parameters to index.php (when "page" is set to "sql_profil" and "action" is set to "list") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability on version 6.0 requires administrative privileges. 10) Input passed via the "generator", "author", "description", and "keywords" parameters to index.php (when "page" is set to "user_html_ed" and "action" is set to "open") is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 11) Input passed via the "generator", "author", "description", and "keywords" parameters to index.php (when "page" is set to "user_html_ed" and "action" is set to "open") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. 12) Input passed via the "mail" parameter to index.php (when "page" is set to "sql_profil" and "action" is set to "list") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. Successful exploitation of this vulnerability on version 6.0 requires administrative privileges. 13) Input passed via the "betreff" parameter to index.php (when "page" is set to "sql_postfach" and "action" is set to "new") is not properly sanitised before being displayed to the user. This can be exploited to insert arbitrary HTML and script code, which will be executed in a user's browser session in context of an affected site when the malicious data is being viewed. The vulnerabilities are confirmed in versions 5.3.04 and 6.0. Other versions may also be affected. NOTE: Successful exploitation of all vulnerabilities except #5 and #6 requires that "magic_quotes_gpc" is disabled. ====================================================================== 5) Solution Ensure that "magic_quotes_gpc" is enabled and grant only trusted users administrative access to the application. ====================================================================== 6) Time Table 04/12/2009 - Vendor notified. 23/12/2009 - Vendor notified again (2nd attempt). 29/12/2009 - Public disclosure. ====================================================================== 7) Credits Discovered by Chaitanya Sharma, Secunia. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has not currently assigned any CVE identifiers for these vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-2/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================