SQL Injection in "module" parameter of phpWebSite CMS - Githubissues

AppStateESS / phpwebsite

phpWebSite Content Management System

Other

33 stars 39 forks source link

SQL Injection in "module" parameter of phpWebSite CMS #293

Open PauloChoupina opened 7 years ago

PauloChoupina commented 7 years ago

SQL Injection in "module" parameter of phpWebSite CMS

Google dork: "powered by phpWebSite"+inurl:index.php?module=pagemaster

examples:

http://leaf.sourceforge.net/bering-uclibc/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12

http://www.18to1.com/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=6&MMN_position=8:8

http://www.fflach.co.uk/cms/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=9&MMN_position=13:13

http://www.capitalfamilymd.com/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=12&MMN_position=23:23

http://www.buckwheat.info/index.php?module=pagemaster&PAGE_user_op=view_page&PAGE_id=21&MMN_position=24:24

trf000 commented 7 years ago

These are incredibly old instances of phpWebsite. In some cases over a decade old.

PauloChoupina commented 7 years ago

How can you tell?

trf000 commented 7 years ago

Well, a few have copyright dates of 2006. Pagemaster isn't a module anymore and the position= references layout positioning from phpWebsite pre 1.x

Those sites are Ooooold. So very old.

PauloChoupina commented 7 years ago

ok In another point. I have tried to setup a copy of my own to test but I couldn't get it to work properly.

I deploy a new vps, then wget the master.zip, unzip, intall lamp (via tasksel), mv diretory to /html access via browser and I get this error: http://pastebin.com/MtsBZ48u

So i did something i can't recall with composer, and somehow i got a new page, sying phpwebsite couldn't install because you need to compile GK something.. I gave up there..

Could you point me any instrucions ?

jlbooker commented 7 years ago

@PauloChoupina You need to run composer install from the command line in the project's root directory. This will install the Composer autoload.php file that the error message is referring to.

PauloChoupina commented 7 years ago

Got it. I will get back to it when i got the time. Thank you and sorry about about the worng perception.

btw, I registed a cve and did a exploit request to exploit-db, so if this is a old dated version, this is going to create some confusion.. xD i will try to cancel the publishing of the exploit

Sorry guys xD