Content Management Systems under the Microscope

Date: 21 February 2008 Original URL: http://www.auscert.org.au/render.html?cid=7066&it=8857 Greetings, This week saw an explosion in SQL Injection vulnerabilities in addons for Content Management Systems (CMS). What appears to have been a new fuzzer [1] was run against some of the more popular CMS solutions and their addons, specifically we saw vulnerabilities disclosed in Joomla, Mambo, Wordpress, PHP-Nuke and XOOPS to name a few. The current list of vulnerable third-party modules for Joomla include: MGFi XfaQ 1.2 McQuiz Portfolio 1.0 Quiz Quran astatsPRO com_activities com_asortyment com_clasifier com_cms com_detail com_downloads com_emcomposer com_facileforms com_filebase com_foevpartners com_formtool com_galeria com_genealogy com_geoboerse com_hwdvideoshare com_idvnews com_iigcatalog com_joomlavvz com_lexikon com_listoffreeads com_magazine com_most com_mygallery com_paxxgallery 0.2 com_pccookbook com_profile com_referenzen com_ricette com_salesrep com_scheduling com_sg com_smslist com_team faq jooget mediaslide Administrators running any CMS applications should check for updates for any installed third-party addons or components, and remove any third-party addons or components not in use. Have a great weekend everyone! Regards, Damien References: ----------- 1. Fuzz Testing http://en.wikipedia.org/wiki/Fuzz_testing "Fuzz testing or fuzzing is a software testing technique that provides random data ("fuzz") to the inputs of a program. If the program fails (for example, by crashing, or by failing built-in code assertions), the defects can be noted."