Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Title: Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities
Advisory ID: ZSL-2011-5051
Type: Remote
Impact: Cross-Site Scripting, System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 10.10.2011
Summary
Cotonti is a powerful open-source web development framework and content manager with a focus on security, speed and flexibility.
Description
Input passed via the parameters 'redirect.php' in 'message.php' and 'w' and 'id' in 'index.php' script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user's browser session in context of an affected site. Path disclosure resides in the 'sq' parameter in '/plugins/search/search.php' script.
Vendor
Cotonti Team - http://www.cotonti.com
Affected Version
0.9.4 (Siena)
Tested On
Microsoft Windows 7 Ultimate SP1 (EN)
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[18.09.2011] Path disclosure discovered.
[18.09.2011] Contact with the vendor with sent details.
[18.09.2011] Vendor responds promising patch in 0.9.5 release.
[27.09.2011] SQL Injection and XSS discovered.
[28.09.2011] Contact with the vendor with sent details.
[09.10.2011] No response from vendor.
[10.10.2011] Public security advisory released.
PoC
cotonti.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>, and Dame Jovanoski - <jovanoski@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/17958/
[2] http://packetstormsecurity.org/files/105656
[3] http://www.securityfocus.com/bid/50052
[4] http://www.1337day.com/exploits/17044
[5] http://xforce.iss.net/xforce/xfdb/70459
[6] http://securityreason.com/wlb_show/WLB-2011100054
Changelog
[10.10.2011] - Initial release
[11.10.2011] - Added reference [2] and [3]
[12.10.2011] - Added reference [4], [5] and [6]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk