[UNIX] CMS Mundo SQL Injection and File Upload Vulnerabilities



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



CMS Mundo SQL Injection and File Upload Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Secunia Research has discovered two vulnerabilities in CMS Mundo, which
can be exploited by malicious people to conduct SQL injection attacks and
compromise a vulnerable system.

DETAILS

Vulnerable Systems:
* CMS Mundo version 1.0 build 007

Immune Systems:
* CMS Mundo version 1.0 build 008

1) Input passed to the "username" parameter in "controlpanel/" during
login isn't properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

This can further be exploited to bypass the authentication process and
access the administration section (by e.g. providing
"admin ' /*" as the username together with an empty password).

Successful exploitation requires that "magic_quotes_gpc" is disabled.

2) An input validation error in the image upload handling in the image
gallery can be exploited to upload arbitrary PHP scripts to a predictable
location inside the web root.

Successful exploitation requires access to the administration section.

A combination of vulnerabilities #1 and #2 can be exploited by a malicious
person to execute arbitrary PHP code on a vulnerable system.

The vulnerabilities have been confirmed in version 1.0 build 007. Prior
versions may also be affected.

Solution:
Update to version 1.0 build 008.

Time Table:
30/05/2006 - Initial vendor notification.
30/05/2006 - Vendor confirms vulnerabilities.
14/06/2006 - Public disclosure.

CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2911>
CVE-2006-2911,
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2931>
CVE-2006-2931


ADDITIONAL INFORMATION

The information has been provided by <mailto:vuln-remove@xxxxxxxxxxx>
Secunia Research.
The original article can be found at:
<http://secunia.com/secunia_research/2006-43/advisory/>
http://secunia.com/secunia_research/2006-43/advisory/



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.