################################################################# ################################################################# # _______ _ __ __ _ _ ______ # # |__ __| (_) | \/ (_) | |___ / # # | | _____ ___ ___| \ / |_ _ __ __| | / / # # | |/ _ \ \/ / |/ __| |\/| | | '_ \ / _` | / / # # | | (_) > <| | (__| | | | | | | | (_| |/ /__ # # |_|\___/_/\_\_|\___|_| |_|_|_| |_|\__,_/_____| # # # # +-+-+-+-+ # # |C|r|e|w| # # +-+-+-+-+ # ################################################################# ################################################################# # [#] TGS CMS (Cross Site Scripting,SQL injection,Blind SQL/XPath injection,Source code disclosure,) Multiple Vulnerabilities # # [#] Discovered By []ViZiOn # # [#] http://ToxicMindZ.org # # [#] Greetz: Str0ke & ToxicMindZ Members # ################################################################# # # [1]-Cross Site Scripting # # Vulnerability Description: # Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications which allow code #injection by malicious web users into the web pages viewed by other users. # # Affected items: # http://127.0.0.1/cms/login.php?previous_page=[XSS] # # Exemple: # # The Risk: # By exploiting this vulnerability, an attacker can inject malicious code in the script and can stole cookies. # # Fix the vulnerability: # * Encode output based on input parameters. # * Filter input parameters for special characters. # * Filter output based on input parameters for special characters... # ################################################################# # # [2]-SQL injection # # Vulnerability Description: # SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an #application. The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL #statements or user input is not strongly typed and thereby unexpectedly executed. # # Affected items: # http://127.0.0.1/cms/index.php?tgs_language_id=[SQL Injection] # http://127.0.0.1/cms/index.php?tpl_dir=[SQL Injection] # http://127.0.0.1/cms/index.php?referer=[SQL Injection] # http://127.0.0.1/cms/index.php?user-agent=[SQL Injection] # http://127.0.0.1/cms/index.php?site=[SQL Injection] # http://127.0.0.1/cms/index.php?option=[SQL Injection] # http://127.0.0.1/cms/index.php?db_optimization=[SQL Injection] # http://127.0.0.1/cms/index.php?owner=[SQL Injection] # http://127.0.0.1/cms/index.php?admin_email=[SQL Injection] # http://127.0.0.1/cms/index.php?default_language=[SQL Injection] # http://127.0.0.1/cms/index.php?db_host=[SQL Injection] # # Exemple: -1+ORDER+BY+1-- [You can find the number of colums (Well just incrementing the number until we get an error.)] # # The Risk: # By exploiting this vulnerability, an attacker can inject malicious code in the script and can have acces to the database. # # Fix the vulnerability: # To protect against SQL injection, user input must not directly be embedded in SQL statements. Instead, parameterized statements must be #used (preferred), or user input must be carefully escaped or filtered. # ################################################################# # # [3]-Blind SQL/XPath injection # # Vulnerability Description: # Blind SQL is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input. An SQL #injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't properly filter out dangerous #characters. # # Affected items: # http://127.0.0.1/cms/frontpage_ception.php?cmd=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?s_dir=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?minutes=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?s_mask=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?test3_mp=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?test15_file1=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?submit=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?brute_method=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?ftp_server_port=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?userfile14=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?subj=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?mysql_l=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?action=[Blind SQL] # http://127.0.0.1/cms/frontpage_ception.php?userfile1=[Blind SQL] # # Exemple: [Use The Brain xD] # # The Risk: # An unauthenticated attacker may execute arbitrary SQL/XPath statements on the vulnerable system. This may compromise the integrity of your #database and/or expose sensitive information. # # Fix the vulnerability: # *Your script should filter metacharacters from user input. # *Check detailed information for more information about fixing this vulnerability. # ################################################################# # # [4]-Source code disclosure # # Vulnerability Description: # Looks like the source code for this script is available. This check is using pattern matching to determine if server side tags #are found in the file. In some cases this may generate false positives. # # Affected items: # http://127.0.0.1/cms/index.php (site=admin) # http://127.0.0.1/cms/admin.php # # Exemple: # #) # * # * This program is free software: you can redistribute it and/or modify # * it under the terms of the GNU General Public License as published by # * the Free Software Foundation, either version 3 of the License, or # * (at your option) any later version. # * # * This program is distributed in the hope that it will be useful, # * but WITHOUT ANY WARRANTY; without even the implied warranty of # * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # * GNU General Public License for more details. # * # * You should have received a copy of the GNU General Public License # * along with this program. If not, see . # * # * @link http://www.tgs-cms.org/ # * @author Christoph Krieg # * @package template.index # */ # require_once( "lib/template.class.php" ) ; # $tgs_template = new tgs_template(); # $tgs_template->template_dir = "template/"; # $tgs_template->config_dir = "cms/includes/inc_global.php"; # $tgs_template->cms_dir = "cms/"; # $tgs_template->left_delimiter = "{*"; # $tgs_template->right_delimiter = "*}"; # $tgs_template->debug_mode = false; # $tgs_template->cache_mode = false; # $tgs_template->cache_option = "disabled"; # $tgs_template->cache_time = "0"; # $tgs_template->offline_mode = false; # $tgs_template->tgs_template_compile(); #?> # # The Risk: # An attacker can gather sensitive information (database connection strings, application logic) by analysing the source code. This #information can be used to conduct further attacks. # # Fix the vulnerability: # Remove this file from your website or change permissions in order to remove access # ################################################################# #################################################################