ConPresso CMS Multiple XSS and SQL Injection Issues
1 Oct. 2006
Summary
ConPresso CMS is "a well known content management system". Multiple security vulnerabilities have been discovered in ConPresso CMS system allowing remote attackers to inject arbitrary HTML and/or JavaScript and to change the execution path of SQL queries.
Vulnerable Systems:
* ConPresso CMS version 4.0.4a and prior
Immune Systems:
* ConPresso CMS version 4.0.5a
XSS:
Input passed directly to the "nr" parameter in "detail.php", the "msg" parameter in "db_mysql.inc.php" and the "pos" parameter in "index.php" is not properly sanitized before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
SQL injection:
Input passed directly to the "nr" parameter in "index.php" is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
Workaround:
Edit the source code to ensure that input is properly sanitized. You should work with "htmlspecialchars()" or "htmlentities()" php-function to ensure that HTML tags are not going to be executed. You should also work with the "mysql_real_escape_string()" or "addslashes()" php-function to ensure that SQL statements can't be delivered over the "get" variables. Further it is recommend to set off the "register globals" option in the "php.ini" on your webserver.
History/Timeline:
30.07.2006 - discovery of the vulnerability
02.08.2006 - additional tests with other versions
03.08.2006 - contacted the vendor
04.08.2006 - the vendor contacted me(response)
05.08.2006 - vendor confirmed the bugs
19.09.2006 - new(fixed) version 4.0.5a is available
26.09.2006 - advisory is written
