Title: TutorialMS v1.4 (show) Remote SQL Injection Vulnerability
Advisory ID: ZSL-2011-5007
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 05.04.2011

Summary

TutorialMS is a free content management system, developed specifically for tutorial pages. It is written in PHP and uses MySQL as a database. TutorialMS offers all the usual features you need to build quick and easy your own tutorial page, without great programming knowledge.

Description

Input passed via the 'show' parameter to the 'includes/classes/tutorial.php' script is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vendor

TutorialMS.com - http://www.tutorialms.com

Affected Version

1.4

Tested On

Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41

Vendor Status

N/A

PoC

tutorialms_sql.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] http://www.exploit-db.com/exploits/17123/
[2] http://www.securityfocus.com/bid/47178
[3] http://packetstormsecurity.org/files/100113
[4] http://secunia.com/advisories/44000/
[5] http://www.1337day.com/exploits/15792
[6] http://securityreason.com/wlb_show/WLB-2011040037
[7] http://securityreason.com/exploitalert/10292
[8] http://xforce.iss.net/xforce/xfdb/66577
[9] http://osvdb.org/show/osvdb/71562

Changelog

[05.04.2011] - Initial release
[06.04.2011] - Added reference [1], [2], [3], [4] and [5]
[07.04.2011] - Added reference [6], [7] and [8]
[13.04.2011] - Added reference [9]

Contact

Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk