dev4u CMS Multiple SQL Injection and Cross Site Scripting Issues
20 Nov. 2006
Summary
dev4u CMS is "a well known German Content Management System". Multiple vulnerabilities have been discovered in dev4u CMS system, allowing a remote attacker to cause the product to execute arbitrary SQL statements as well as include arbitrary HTML and/or JavaScript into existing web pages.
Cross Site Scripting:
Input passed directly to the "user_name", "passwort" and "go_target" parameter in "index.php" is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
SQL Injection:
Input passed directly to the "seite_id", "gruppe_id.php" and "go_target" parameter in "index.php" is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Solution:
Edit the source code to ensure that input is properly sanitized. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that HTML tags are not going to be executed. You should also work with the "intval()" and "mysql_real_escape_string()" or "addslashes()" php-function to ensure that SQL statements can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the "php.ini" on your webserver.
History/Timeline:
11.11.2006 discovery of the vulnerabilities
11.11.2006 additional tests with other versions
12.11.2006 contacted the vendor
18.11.2006 advisory is written
18.11.2006 advisory released
