← Advisories

Practico 13.9 Multiple Vulnerabilities

Medium

Advisory ID

ZSL-2013-5160

Release Date

03 November 2013

Vendor

Practico - http://www.codigoabierto.org

Affected Version

13.9

CVE

N/A

Tested On

Microsoft Windows 7 Ultimate SP1 (EN), Apache 2.4.2 (Win32), PHP 5.4.7, MySQL 5.5.25a

Summary

Practico is a free CMS software project released under license GNU GPL v2.0 for creating web applications in a completely visual and fast fashion. Without programming knowledge.

Description

Practico suffers from multiple vulnerabilities including Cross-Site Scripting (XSS), SQL Injection (SQLi) and Cross-Site Request Forgery (CSRF/XSRF). The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain actions with administrative privileges if a logged-in user visits a malicious web site. Input passed via several parameters is not properly sanitized before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code and HTML/script code in a user's browser session in context of an affected site.

Proof of Concept

practico_multiple.txtTXT

Disclosure Timeline

10.10.2013Vulnerabilities discovered.

11.10.2013Contact with the vendor.

16.10.2013Vendor replies asking more details.

17.10.2013Sent detailed info to the vendor.

17.10.2013Vendor promises patch development.

01.11.2013Vendor releases version 13.911 to address these issues.

03.11.2013Coordinated public security advisory released.

Credits

Vulnerability discovered by Gjoko Krstic