GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
Title: GeniXCMS v0.0.1 Remote Unauthenticated SQL Injection Exploit
Advisory ID: ZSL-2015-5232
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 10.03.2015
Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.
[2] https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815
[3] http://www.exploit-db.com/exploits/36321/
[4] http://osvdb.org/show/osvdb/119392
[5] http://osvdb.org/show/osvdb/119393
[6] http://cxsecurity.com/issue/WLB-2015030067
[7] http://packetstormsecurity.com/files/130770
[8] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101498
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2679
[10] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2679
[11.03.2015] - Added reference [4], [5], [6] and [7]
[13.03.2015] - Added reference [8]
[24.03.2015] - Added reference [9] and [10]
Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk
Advisory ID: ZSL-2015-5232
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 10.03.2015
Summary
GenixCMS is a PHP Based Content Management System and Framework (CMSF). It's a simple and lightweight of CMSF. Very suitable for Intermediate PHP developer to Advanced Developer. Some manual configurations are needed to make this application to work.Description
Input passed via the 'page' GET parameter and the 'username' POST parameter is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.Vendor
MetalGenix - http://www.genixcms.orgAffected Version
0.0.1Tested On
nginx/1.4.6 (Ubuntu)Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21
Vendor Status
[05.03.2015] Vulnerability discovered.[05.03.2015] Vendor contacted.
[06.03.2015] Vendor responds asking more details.
[06.03.2015] Sent details to the vendor.
[07.03.2015] Vendor promises fix soon.
[10.03.2015] Vendor releases patched version.
[10.03.2015] Public security advisory released.
PoC
genixcms_sqli.txtCredits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>References
[1] http://blog.metalgenix.com/update-security-fix-and-add-newsletter-module/16[2] https://github.com/semplon/GeniXCMS/commit/698245488343396185b1b49e7482ee5b25541815
[3] http://www.exploit-db.com/exploits/36321/
[4] http://osvdb.org/show/osvdb/119392
[5] http://osvdb.org/show/osvdb/119393
[6] http://cxsecurity.com/issue/WLB-2015030067
[7] http://packetstormsecurity.com/files/130770
[8] https://exchange.xforce.ibmcloud.com/#/vulnerabilities/101498
[9] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2015-2679
[10] https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2679
Changelog
[10.03.2015] - Initial release[11.03.2015] - Added reference [4], [5], [6] and [7]
[13.03.2015] - Added reference [8]
[24.03.2015] - Added reference [9] and [10]
Contact
Zero Science LabWeb: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk