[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Wolf CMS v0.7.5 - Multiple Web Vulnerabilities
From: "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date: 2012-02-27 16:27:09
Message-ID: 4F4BAEDD.2060407 () vulnerability-lab ! com
[Download RAW message or body]
Title:
======
Wolf CMS v0.7.5 - Multiple Web Vulnerabilities
Date:
=====
2012-02-27
References:
===========
http://www.vulnerability-lab.com/get_content.php?id=452
VL-ID:
=====
452
Introduction:
=============
Wolf CMS is a content management system and is Free Software published under the GNU General
Public License v3. Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of \
Frog CMS. The project was a finalistin the 2010 Packt Publishing s Open Source awards for the \
Most Promising Open Source Project category. As of the 28th of December 2010, the Wolf CMS \
code repository was moved from Google Code to Github.
( Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Wolf_CMS )
Abstract:
=========
Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities on the Wolf \
Content Management System v0.7.5
Report-Timeline:
================
2012-02-11: Vendor Notification
2012-02-27: Public or Non-Public Disclosure
Status:
========
Published
Affected Products:
==================
BlueWin CH
Product: Wolf CMS v0.7.5
Exploitation-Technique:
=======================
Remote
Severity:
=========
High
Details:
========
1.1
A SQL Injection vulnerability is detected on the Wolfs Content Management System v0.7.5. The
vulnerability allows an remote attacker to execute own sql commands on the affected application \
dbms. Successful exploitation can result in dbms, web-server or application compromise.
Vulnerable Module(s):
[+] /plugins/comment/[Index]
Picture(s):
../1.png
1.2
Multiple persistent vulnerabilities are detected on the Wolfs Content Management System v0.7.5. \
The bug allows an remote attacker or local low privileged user account to inject persistent \
malicious script code on application side. Successful exploitation can result in persistent \
context manipulation on requests, session hijacking & account steal via application side \
phishing.
Vulnerable Module(s):
[+] /plugins/comment/
Picture(s):
../2.png
Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers & local low privileged user accounts \
with- and without required user inter action. For demonstration or reproduce ...
1.1
Path: /wolfcms/wolf/plugins/comment/
File: index.php
Review:
271: $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
$_SERVER['HTTP_X_FORWARDED_FOR']:($_SERVER['REMOTE_ADDR']);
1.2
Path: /wolfcms/wolf/plugins/comment/
File: index.php
Review:
/wolfcms/wolf/plugins/comment/index.php
272: echo '<input type="hidden" value="'.$ip.'" name="comment[author_ip]" />';
Risk:
=====
1.1
The security risk of the blind sql injection vulnerabilities are estimated as high(+).
1.2
The security risk of the persistant xss vulnerabilities are estimated as medium(+).
Credits:
========
Vulnerability Research Laboratory - Ucha Gobejishvili M. (longrifle0x)
Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties, either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of other media, are reserved by Vulnerability-Lab or its suppliers.
Copyright © 2012|Vulnerability-Lab
--
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic