couponPHP CMS 1.0 Multiple Stored XSS and SQL Injection Vulnerabilities

Title: couponPHP CMS 1.0 Multiple Stored XSS and SQL Injection Vulnerabilities
Advisory ID: ZSL-2014-5170
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data, Cross-Site Scripting
Risk: (3/5)
Release Date: 28.02.2014
Summary
couponPHP is a revolutionary content management system for running Coupon and Deal websites. It is feature rich, powerful, beautifully designed and fully automatic.
Description
couponPHP is vulnerable to multiple Stored XSS and SQL Injection issues. Input passed via the parameters 'iDisplayLength' and 'iDisplayStart' in 'comments_paginate.php' and 'stores_paginate.php' scripts are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The parameter 'sEcho' in 'comments_paginate.php' and 'stores_paginate.php' and the parameters 'affiliate_url', 'description', 'domain', 'seo[description]', 'seo[heading]', 'seo[title]', 'seo[keywords]', 'setting[logo]', 'setting[perpage]' and 'setting[sitename]' in '/admin/index.php' script are vulnerable to stored XSS issues where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.
Vendor
couponPHP - http://www.couponphp.com
Affected Version
1.0
Tested On
Apache/2.2.14(Ubuntu)
PHP/5.3.2-1ubuntu4.14
Vendor Status
[01.02.2014] Vulnerabilities discovered.
[02.02.2014] Vendor contacted.
[03.02.2014] Vendor responds asking more details.
[03.02.2014] Sent detailed information to the vendor.
[04.02.2014] Vendor confirms issues, developing patch.
[08.02.2014] Asked vendor for status update.
[10.02.2014] Vendor implemented fixes, testing in progress.
[13.02.2014] Vendor working on additional issues.
[18.02.2014] Asked vendor for status update.
[27.02.2014] No reply from the vendor.
[28.02.2014] Public security advisory released.
[02.03.2014] Vendor releases version 1.2.0 to address these issues.
PoC
couponphp_mv.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://packetstormsecurity.com/files/125480
[2] http://cxsecurity.com/issue/WLB-2014020258
[3] http://www.exploit-db.com/exploits/32037/
[4] http://osvdb.org/show/osvdb/103886
[5] http://osvdb.org/show/osvdb/103887
[6] http://osvdb.org/show/osvdb/103895
[7] http://osvdb.org/show/osvdb/103896
[8] http://osvdb.org/show/osvdb/103897
[9] http://www.securityfocus.com/bid/65918
[10] http://secunia.com/advisories/57177/
[11] http://couponphp.com/changelog
[12] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10034
[13] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10035
[14] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10034
[15] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10035
[16] http://xforce.iss.net/xforce/xfdb/91550
[17] http://xforce.iss.net/xforce/xfdb/91549
Changelog
[28.02.2014] - Initial release
[01.03.2014] - Added reference [1] and [2]
[03.03.2014] - Added reference [3]
[04.03.2014] - Added vendor status and reference [4], [5], [6], [7], [8], [9], [10] and [11]
[26.01.2015] - Added reference [12], [13], [14], [15], [16] and [17]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk