Security Advisory SA30377 - Quate CMS Multiple Vulnerabilities

Secunia

Blog

Secunia Advisory SA30377

Quate CMS Multiple Vulnerabilities

Secunia Advisory

SA30377

Release Date

2008-05-27

Last Update

2008-08-07

Popularity

5,714 views

Comments

0 comments

Criticality level

Highly critical

Impact

Cross Site Scripting
Manipulation of data
Exposure of system information
Exposure of sensitive information
System access

Where

From remote

Authentication level

This information is available to Secunia VIM customers

Report reliability

This information is available to Secunia VIM customers

Solution Status

Unpatched

Systems affected

This information is available to Secunia VIM customers

Approve distribution

This information is available to Secunia VIM customers

Remediation status

Secunia VIM

Software:

Quate CMS 0.x

Secunia CVSS Score

This information is available to Secunia VIM Customers

CVE Reference(s)

CVE-2008-2496 CVSS score available to Secunia VIM customers

Description

Some vulnerabilities have been discovered in Quate CMS, which can be exploited by malicious users to disclose and manipulate sensitive information, and by malicious people to conduct cross-site scripting attacks, disclose sensitive information, and compromise a vulnerable system.

1) Input passed to the "secure_page_path" parameter in admin/includes/header.php (when "bypass_installed" is set to "1") is not properly verified before being used to include files. This can be exploited to include arbitrary files from local or external resources.

Successful exploitation of this vulnerability requires that "register_globals" is enabled.

2) Input passed to the "admin_template_default" parameter in admin/includes/footer.php is not properly verified before being used to include files. This can be exploited to include arbitrary files from local resources via directory traversal attacks and URL-encoded NULL bytes ("%00").

Successful exploitation of this vulnerability requires that "register_globals" is enabled and that "magic_quotes_gpc" is disabled.

3) Input passed to the "dir" parameter in admin/filemanager.php is not properly sanitised before being used. This can be exploited to display or edit arbitrary files via directory traversal attacks.

Successful exploitation of this vulnerability requires valid administrator credentials.

4) Input passed in the URL to admin/credits.php, admin/login.php, and upgrade/index.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Input passed to the "page_area" and "page_header" parameters in admin/includes/themes/default/header.php is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Successful exploitation of this vulnerability requires that "register_globals" is enabled.

The vulnerabilities are confirmed in version 0.3.4. Other versions may also be affected.

Solution
Edit the source code to ensure that input is properly verified and sanitised.

Provided and/or discovered by
1-4) Digital Security Research Group
5) CraCkEr

Changelog
Further details available to Secunia VIM customers

Original Advisory
1-4) http://milw0rm.com/exploits/5668
5) http://milw0rm.com/exploits/6211

Deep Links
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Quate CMS Multiple Vulnerabilities

No posts yet

Secunia Advisory SA30377

Quate CMS Multiple Vulnerabilities

Do you have additional information related to this advisory?

You must be logged in to post a comment.

Secunia Customer Login

Not a customer already?