11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability
Title: 11in1 CMS v1.0.1 (do.php) CRLF Injection Vulnerability
Advisory ID: ZSL-2011-5055
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.11.2011
--------------------------------------------------------------------------------
--------------------------------------------------------------------------------
Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
[2] http://www.exploit-db.com/exploits/18095/
[3] http://securityreason.com/wlb_show/WLB-2011110028
[4] http://doie.net/?p=1832
[5] http://www.securityfocus.com/bid/50587
[6] http://xforce.iss.net/xforce/xfdb/71183
[7] http://www.osvdb.org/show/osvdb/83321
[09.11.2011] - Added reference [3] and [4]
[15.11.2011] - Added reference [5]
[17.09.2012] - Added reference [6] and [7]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2011-5055
Type: Remote
Impact: Cross-Site Scripting
Risk: (3/5)
Release Date: 08.11.2011
Summary
Eleven in One is an open-source content management system (CMS) that is powered by PHP and MySQL. It does not only help you manage your personal blog but also maintain your postings at social networks. By establishing consistency among the data transmitted from and to the blog, this CMS sustains continuous harmonization of your data over time.Description
Input passed to the 'content' parameter in 'do.php' on line 2112 is not properly sanitised before being returned to the user. This can be exploited to insert arbitrary HTTP headers, which are included in a response sent to the user.--------------------------------------------------------------------------------
/admin/do.php
----------------
2088: // update status
2089: else if(($action == "postStatus")&&($_SERVER["REQUEST_METHOD"] == "POST")&&($_SESSION['admin'] == 1))
2090: {
2091: $content = htmlspecialchars($_POST['content']);
2092:
2093: // Get database information
2094: $Database = new Database;
2095: $info = $Database->getInfo();
2096:
2097: // connect to database
2098: $conn = mysql_connect($info[0], $info[1], $info[2]);
2099: mysql_select_db($info[3], $conn);
2100:
2101: $date = date("Y-m-d H:i:s");
2102:
2103: // clear table
2104: $result = mysql_query("INSERT INTO 11in1_streamline (content, date) VALUES ('$content', '$date')");
2105:
2106: // close connection to db
2107: mysql_close($conn);
2108:
2109: // prepare success message
2110: $_SESSION['msg'] = array("title" => $lang_backend_request_executed, "msg" => $lang_backend_statusPosted, "url" => "streamline.php", "button" => $lang_error_goBack);
2111:
2112: header("Location: msg.php?connect=yes&status=$content");
2113: }
--------------------------------------------------------------------------------
Vendor
11in1 - http://www.11in1.orgAffected Version
1.0.1Tested On
Microsoft Windows XP Professional SP3 (EN)Apache 2.2.21
MySQL 5.5.16
PHP 5.3.8
Vendor Status
[07.11.2011] Bug reported to the vendor.PoC
11in1_crlfi.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://packetstormsecurity.org/files/106716[2] http://www.exploit-db.com/exploits/18095/
[3] http://securityreason.com/wlb_show/WLB-2011110028
[4] http://doie.net/?p=1832
[5] http://www.securityfocus.com/bid/50587
[6] http://xforce.iss.net/xforce/xfdb/71183
[7] http://www.osvdb.org/show/osvdb/83321
Changelog
[08.11.2011] - Initial release[09.11.2011] - Added reference [3] and [4]
[15.11.2011] - Added reference [5]
[17.09.2012] - Added reference [6] and [7]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
