[UNIX] CMS Mundo SQL Injection and File Upload Vulnerabilities
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 30 Aug 2006 15:14:00 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
CMS Mundo SQL Injection and File Upload Vulnerabilities
Secunia Research has discovered two vulnerabilities in CMS Mundo, which
can be exploited by malicious people to conduct SQL injection attacks and
compromise a vulnerable system.
* CMS Mundo version 1.0 build 007
* CMS Mundo version 1.0 build 008
1) Input passed to the "username" parameter in "controlpanel/" during
login isn't properly sanitised before being used in a
SQL query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
This can further be exploited to bypass the authentication process and
access the administration section (by e.g. providing
"admin ' /*" as the username together with an empty password).
Successful exploitation requires that "magic_quotes_gpc" is disabled.
2) An input validation error in the image upload handling in the image
gallery can be exploited to upload arbitrary PHP scripts to a predictable
location inside the web root.
Successful exploitation requires access to the administration section.
A combination of vulnerabilities #1 and #2 can be exploited by a malicious
person to execute arbitrary PHP code on a vulnerable system.
The vulnerabilities have been confirmed in version 1.0 build 007. Prior
versions may also be affected.
Update to version 1.0 build 008.
30/05/2006 - Initial vendor notification.
30/05/2006 - Vendor confirms vulnerabilities.
14/06/2006 - Public disclosure.
The information has been provided by <mailto:vuln-remove@xxxxxxxxxxx>
The original article can be found at:
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NEWS] SAP-DB/MaxDB WebDBM Buffer Overflow
- Next by Date: [UNIX] SquirrelMail Arbitrary Variable Overwriting
- Previous by thread: [NEWS] SAP-DB/MaxDB WebDBM Buffer Overflow
- Next by thread: [UNIX] SquirrelMail Arbitrary Variable Overwriting