[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Wolf CMS v0.7.5 -  Multiple Web Vulnerabilities
From:       "research () vulnerability-lab ! com" <research () vulnerability-lab ! com>
Date:       2012-02-27 16:27:09
Message-ID: 4F4BAEDD.2060407 () vulnerability-lab ! com
[Download RAW message or body]

Title:
======
Wolf CMS v0.7.5 -  Multiple Web Vulnerabilities


Date:
=====
2012-02-27


References:
===========
http://www.vulnerability-lab.com/get_content.php?id=452


VL-ID:
=====
452


Introduction:
=============
Wolf CMS is a content management system and is Free Software published under the GNU General 
Public License v3. Wolf CMS is written in the PHP programming language. Wolf CMS is a fork of \
Frog CMS. The project was a finalistin the 2010 Packt Publishing s Open Source awards for the  \
Most Promising  Open Source Project  category. As of the 28th of December 2010, the Wolf CMS \
code repository was moved  from Google Code to Github.

( Copy of the Vendor Homepage: http://en.wikipedia.org/wiki/Wolf_CMS ) 


Abstract:
=========
Vulnerability Laboratory Research Team discovered multiple Web Vulnerabilities on the Wolf \
Content Management System v0.7.5 


Report-Timeline:
================
2012-02-11:	Vendor Notification
2012-02-27:	Public or Non-Public Disclosure


Status:
========
Published


Affected Products:
==================
BlueWin CH
Product: Wolf CMS v0.7.5


Exploitation-Technique:
=======================
Remote


Severity:
=========
High


Details:
========
1.1
A SQL Injection vulnerability is detected on the Wolfs Content Management System v0.7.5. The 
vulnerability allows an remote attacker to execute own sql commands on the affected application \
 dbms. Successful exploitation can result in dbms, web-server or application compromise.

Vulnerable Module(s):
					[+] /plugins/comment/[Index]

Picture(s):
					../1.png


1.2
Multiple persistent vulnerabilities are detected on the Wolfs Content Management System v0.7.5. \
 The bug allows an remote attacker or local low privileged user account to inject persistent \
malicious  script code on application side. Successful exploitation can result in persistent \
context manipulation  on requests, session hijacking & account steal via application side \
phishing.

Vulnerable Module(s):
					[+] /plugins/comment/



Picture(s):
					../2.png


Proof of Concept:
=================
The vulnerabilities can be exploited by remote attackers & local low privileged user accounts \
with- and  without required user inter action. For demonstration or reproduce ...

1.1
Path:	/wolfcms/wolf/plugins/comment/
File:	index.php

Review:
271: $ip = isset($_SERVER['HTTP_X_FORWARDED_FOR']) ?
$_SERVER['HTTP_X_FORWARDED_FOR']:($_SERVER['REMOTE_ADDR']);


1.2
Path:	/wolfcms/wolf/plugins/comment/
File:	index.php

Review:
/wolfcms/wolf/plugins/comment/index.php
272: echo '<input type="hidden" value="'.$ip.'" name="comment[author_ip]" />';


Risk:
=====
1.1
The security risk of the blind sql injection vulnerabilities are estimated as high(+).

1.2
The security risk of the persistant xss vulnerabilities are estimated as medium(+).


Credits:
========
Vulnerability Research Laboratory - Ucha Gobejishvili M. (longrifle0x)


Disclaimer:
===========
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability-Lab disclaims all warranties,  either expressed or implied, including the \
warranties of merchantability and capability for a particular purpose. Vulnerability- Lab or \
its suppliers are not liable in any case of damage, including direct, indirect, incidental, \
consequential loss of business  profits or special damages, even if Vulnerability-Lab or its \
suppliers have been advised of the possibility of such damages. Some  states do not allow the \
exclusion or limitation of liability for consequential or incidental damages so the foregoing \
limitation  may not apply. Any modified copy or reproduction, including partially usages, of \
this file requires authorization from Vulnerability- Lab. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, including the use \
of  other media, are reserved by Vulnerability-Lab or its suppliers.

    						Copyright © 2012|Vulnerability-Lab




-- 
Website: www.vulnerability-lab.com ; vuln-lab.com or vuln-db.com
Contact: admin@vulnerability-lab.com or support@vulnerability-lab.com


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


[prev in list] [next in list] [prev in thread] [next in thread]