Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtSnup1337DAY-ID-18971
HistoryJul 12, 2012 - 12:00 a.m.

Funeral Script PHP Cross Site Scripting / SQL Injection

2012-07-1200:00:00
snup
0day.today
12
JSON

Exploit for php platform in category web applications

Funeral Script PHP - Multiple Web Vulnerabilites

Introduction:
=============
At your request and for a reasonable price, we may add or change features on the Funeral Script PHP. Funeral Script PHP 
requires PHP 4.3 or higher and MySQL 3 or higher to run on your server. Please make sure that your webserver meet 
this PHP / MySQL requirements.

Funeral Script PHP features:

    One step installation wizard
    Password protected admin area with multiple options and features that you can control
    Ability to add non-administrative content editors - separate administrative functions from content management
    Easily add images with automatic thumbnailing and image resizing
    Ability to add additional images in content using WYSIWYG editor
    Option to add youtube videos
    Full language, label, text, and header editing options
    Fully customizable look and feel without touching script code
    Easily customize and drop into your current website design
    Supports any language
    Can literally be dropped into your current site and usable in minutes, not hours or days
     Share This  button option
    Set number of obituaries per page
    Sort the order of comments in the GuestBook
    Option to ban unwanted words in the GuestBook
    Prevention of HTML and Javascript injections
    Choose between two anti-spam captcha images - simple and reCaptcha
    Option to approve comments before having them listed
    Email notification for the new comments
    RSS Feed with images, validated by w3c

( Copy of the Vendor Homepage: http://www.funeralscriptphp.com )

Details:
========
1.1
Multiple SQL Injection vulnerabilities  are detected in the Funeral Script PHP Content Management System.
The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands 
on the affected application dbms without user inter action. The vulnerabilities are located in the funeral_script.php 
& admin.php files and the bound vulnerable parameters orderBy, orderType & hide_cat. Successful exploitation of the 
vulnerability results in dbms & application compromise. 

Vulnerable File(s):
      [+] admin.php

Vulnerable Parameter(s):
      [+] orderBy
      [+] orderType
      [+] hide_cat



1.2
Multiple non persistent cross site scripting vulnerabilities are detected in the Funeral Script PHP Content Management System.
The vulnerability allows remote attackers to hijack website customer, moderator or admin sessions with medium or high 
required user inter action or local low privileged user account. Exploitation requires low user inter action or low 
privileged application user account. The bugs are located in the admin.php & funeral_script.php files with the bound 
vulnreable parameters orderBy, search, orderType, p, hide_cat & obit_id. Successful exploitation can result in account 
steal, phishing & client-side content request manipulation.

Vulnerable File(s):
      [+] admin.php
      [+] funeral_script.php

Vulnerable Parameter(s):
      [+] orderBy
      [+] search
      [+] orderType
      [+] obit_id
      [+] p
      [+] hide_cat


Proof of Concept:
=================
1.1
The sql injection vulnerabilities can be exploited by remote attackers with privileged application user account & without
required user inter action. For demonstration or reproduce ...

PoC:
http://127.0.0.1:80/37/funeral_script.php?hide_cat=[SQL-INJECTION]
http://127.0.0.1:80/37/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[SQL-INJECTION]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=&orderType=[SQL-INJECTION]
http://127.0.0.1:80/37/funeralscript/admin.php?act=obituaries&orderType=[SQL-INJECTION]


1.2
The non-persistent cross site scripting vulnerabilities can be exploited by remote attackers with medium or high required 
user inter action. For demonstration or reproduce ...

PoC:
http://127.0.0.1:80/37/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=obituaries&orderType=[ASC/DESC]&search=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=obituaries&orderType=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=&orderType=[ASC/DESC]&search=&orderBy=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=[Cross Site Scripting]&orderType=[ASC/DESC]&search=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=&orderType=[Cross Site Scripting]
http://127.0.0.1:80/37/funeralscript/admin.php?act=comments&obit_id=-1%[Cross Site Scripting]


http://127.0.0.1:80/37/funeral_script.php?id=1&p=[Cross Site Scripting]%3C&search=[Cross Site Scripting]
http://127.0.0.1:80/37/funeral_script.php?hide_cat=[Cross Site Scripting]


Risk:
=====
1.1
The security risk of the sql injection vulnerabilities are estimated as high(+).

1.2
The security risk of the non-persistent cross site scripting vulnerabilities are estiamted as low(+).



#  0day.today [2018-03-19]  #
JSON