← Advisories

couponPHP CMS 1.0 Multiple Stored XSS and SQL Injection Vulnerabilities

Medium
Advisory ID
ZSL-2014-5170
Release Date
28 February 2014
Vendor
couponPHP - http://www.couponphp.com
Affected Version
1.0
CVE
CVE-2014-10034, CVE-2014-10035
Tested On
Apache/2.2.14(Ubuntu), PHP/5.3.2-1ubuntu4.14
Summary

couponPHP is a revolutionary content management system for running Coupon and Deal websites. It is feature rich, powerful, beautifully designed and fully automatic.

Description

couponPHP is vulnerable to multiple Stored XSS and SQL Injection issues. Input passed via the parameters 'iDisplayLength' and 'iDisplayStart' in 'comments_paginate.php' and 'stores_paginate.php' scripts are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The parameter 'sEcho' in 'comments_paginate.php' and 'stores_paginate.php' and the parameters 'affiliate_url', 'description', 'domain', 'seo[description]', 'seo[heading]', 'seo[title]', 'seo[keywords]', 'setting[logo]', 'setting[perpage]' and 'setting[sitename]' in '/admin/index.php' script are vulnerable to stored XSS issues where the attacker can execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Proof of Concept
couponphp_mv.txtTXT
Disclosure Timeline
01.02.2014Vulnerabilities discovered.
02.02.2014Vendor contacted.
03.02.2014Vendor responds asking more details.
03.02.2014Sent detailed information to the vendor.
04.02.2014Vendor confirms issues, developing patch.
08.02.2014Asked vendor for status update.
10.02.2014Vendor implemented fixes, testing in progress.
13.02.2014Vendor working on additional issues.
18.02.2014Asked vendor for status update.
27.02.2014No reply from the vendor.
28.02.2014Public security advisory released.
02.03.2014Vendor releases version 1.2.0 to address these issues.
Credits
Vulnerability discovered by Gjoko Krstic
References
[1]http://packetstormsecurity.com/files/125480
[2]http://cxsecurity.com/issue/WLB-2014020258
[3]http://www.exploit-db.com/exploits/32037/
[4]http://osvdb.org/show/osvdb/103886
[5]http://osvdb.org/show/osvdb/103887
[6]http://osvdb.org/show/osvdb/103895
[7]http://osvdb.org/show/osvdb/103896
[8]http://osvdb.org/show/osvdb/103897
[9]http://www.securityfocus.com/bid/65918
[10]http://secunia.com/advisories/57177/
[11]http://couponphp.com/changelog
[12]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10034
[13]http://cve.mitre.org/cgi-bin/cvename.cgi?name=2014-10035
[14]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10034
[15]http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-10035
[16]http://xforce.iss.net/xforce/xfdb/91550
[17]http://xforce.iss.net/xforce/xfdb/91549
Changelog
28.02.2014Initial release
01.03.2014Added reference [1] and [2]
03.03.2014Added reference [3]
04.03.2014Added vendor status and reference [4], [5], [6], [7], [8], [9], [10] and [11]
26.01.2015Added reference [12], [13], [14], [15], [16] and [17]