← Advisories

Cotonti CMS v0.9.4 Multiple Remote Vulnerabilities

Medium
Advisory ID
ZSL-2011-5051
Release Date
10 October 2011
Vendor
Cotonti Team - http://www.cotonti.com
Affected Version
0.9.4 (Siena)
CVE
N/A
Tested On
Microsoft Windows 7 Ultimate SP1 (EN), Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41
Summary

Cotonti is a powerful open-source web development framework and content manager with a focus on security, speed and flexibility.

Description

Input passed via the parameters 'redirect.php' in 'message.php' and 'w' and 'id' in 'index.php' script are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code or execute arbitrary HTML and script code in a user's browser session in context of an affected site. Path disclosure resides in the 'sq' parameter in '/plugins/search/search.php' script.

Proof of Concept
cotonti.txtTXT
Disclosure Timeline
18.09.2011Path disclosure discovered.
18.09.2011Contact with the vendor with sent details.
18.09.2011Vendor responds promising patch in 0.9.5 release.
27.09.2011SQL Injection and XSS discovered.
28.09.2011Contact with the vendor with sent details.
09.10.2011No response from vendor.
10.10.2011Public security advisory released.
Credits
Vulnerability discovered by Gjoko Krstic and Dame Jovanoski
References
[1]http://www.exploit-db.com/exploits/17958/
[2]http://packetstormsecurity.org/files/105656
[3]http://www.securityfocus.com/bid/50052
[4]http://www.1337day.com/exploits/17044
[5]http://xforce.iss.net/xforce/xfdb/70459
[6]http://securityreason.com/wlb_show/WLB-2011100054
Changelog
10.10.2011Initial release
11.10.2011Added reference [2] and [3]
12.10.2011Added reference [4], [5] and [6]