[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

b2evolution 4.1.6 SQL Injection Vulnerability

Author
High-Tech Bridge
Risk
[
Security Risk High
]
0day-ID
0day-ID-20723
Category
web applications
Date add
02-05-2013
CVE
CVE-2013-2945
Platform
php
Product: b2evolution
Vendor: b2evolution Group
Vulnerable Version(s): 4.1.6 and probably prior
Tested Version: 4.1.6
Vendor Notification: April 10, 2013 
Vendor Patch: April 29, 2013 
Public Disclosure: May 1, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2945
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.


1) SQL Injection in b2evolution: CVE-2013-2945

The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.

Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:

http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' -- 


This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.

Basic CSRF exploit:

<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --"> 


-----------------------------------------------------------------------------------------------

Solution:

Upgrade to b2evolution 4.1.7

More Information:
http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3

-----------------------------------------------------------------------------------------------

#  0day.today [2024-12-25]  #