UK One Media CMS (id) Error Based SQL Injection Vulnerability

Title: UK One Media CMS (id) Error Based SQL Injection Vulnerability
Advisory ID: ZSL-2010-4942
Type: Local/Remote
Impact: System Access, Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (5/5)
Release Date: 19.06.2010
Summary
Content Management System (PHP+MySQL).
Description
UK One Media CMS suffers from an sql injection vulnerability when parsing query from the id param which results in compromising the entire database structure and executing system commands.

--------------------------------------------------------------------------------

GET .../viewArticle.php?id=xx%27

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/lqwrm/public_html/xxx/include/DbConnector.php on line xx.

--------------------------------------------------------------------------------

Vendor
UK One Media - http://www.uk1media.com
Affected Version
N/A
Tested On
Apache 2.x (linux)
PHP/5.2.11
MySQL/4.1.22
Vendor Status
[24.05.2010] Vulnerability discovered.
[30.05.2010] Vendor informed.
[19.06.2010] No reply from vendor. Public advisory released.
PoC
uk1media_sql.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://www.exploit-db.com/exploits/13933/
[2] http://securityreason.com/wlb_show/WLB-2010060092
[3] http://bbs.honkwin.com/read-htm-tid-6596.html?PHPSESSID=e100bb238e3ee930f6fcc261ad2284af
[4] http://inj3ct0r.com/exploits/12784
[5] http://www.packetstormsecurity.org/filedesc/onemediacms-sql.txt.html
[6] http://hack0wn.com/view.php?xroot=1927.0&cat=exploits
[7] http://www.0daynet.com/2010/0620/661.html
[8] http://xforce.iss.net/xforce/xfdb/59579
Changelog
[19.06.2010] - Initial release
[20.06.2010] - Added reference [3], [4], [5], [6] and [7]
[16.08.2010] - Added reference [8]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk