Vulnerable Systems:
* Family Connections version 2.1.3 and prior
A) Blind SQL Injection All field that I tested are vulnerable to Blind SQL Injection. I can't report all vulnerable files because they are many. The most injections don't require that Magic Quotes GPC (php.ini) is setted to Off. However an attacker may try to exploit this vulnerability using the full path disclosure released by the MySQL error to write a file into the remote file system, using as destination path the gallery directories, where the permissions must be setted to 777.
http://site/path/profile.php?member=1 AND IF(ASCII((SELECT CHAR(90))) = 90, BENCHMARK(10000000, MD5(0x90)), NULL) http://site/path/messageboard.php?thread=1 AND 1=1 http://site/path/messageboard.php?thread=1 AND 1=0
B) Multiple Arbitrary File Upload When we want to write a module to upload a file, we must check the file extension without using the Content-Type HTTP field, because this last one can be changed. This CMS uses the Content-Type to validate the extension.
C) Local File Inclusion In settings.php an user can set the favorite theme to use. This theme is included using the include_once PHP function. The original path is themes/ but using the directory traversal sequence, an user can include arbitrary files. There is a limit of characters to use, infact the theme field into the database has a length limit equal to 25.
Edit the POST packet and send the modified theme value like the following: ../ReadMe.txt\0
