|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
MAXDEV CMS Multiple vulnerabilities
king_purba
yahoo.co.uk
Date: Thu Apr 06 2006 - 13:02:46 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Full Path disclosure
---------------------
This hole is caused by direct access to file includes/legacy.php not protected
PoC :
http://site.co.id/maxdev/includes/legacy.php
Fix :
Turn off display error in php.ini can fix this security issue
Blind sql inject
-----------------
This hole is caused by filtered script not implemented to $topicid variable in file modules/Topics/pnuserapi.php
PoC :
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=0
http://site.co.id/maxdev/index.php?module=Topics&func=display&topicid=0 AND 1=1
Fix :
Maxdev cms have a filtered script to protect all request but i'm so lazy to analyze the code, then i just add this code
in modules/Topics/pnuserapi.php
if(isset($_GET['topicid']))
{
$topicid=$_GET['topicid'];
validate($topicid);
}
function validate($char)
{
if(!is_numeric($char))
{
die("i have received an error request");
}
}
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]