0day.today - Biggest Exploit Database in the World.
![](/img/logo_green.jpg)
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earnGOLD
Administration of this site uses the official contacts. Beware of impostors!
![We DO NOT use Telegram or any messengers / social networks!](/img/no_telegram_big.png)
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
XenAPI 1.4.1 for XenForo - Multiple SQL Injections
1. ADVISORY INFORMATION ======================= Product: XenAPI for XenForo Vendor URL: github.com/Contex/XenAPI Type: SQL Injection [CWE-89] Date found: 2016-05-20 Date published: 2016-05-23 CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) CVE: - 2. CREDITS ========== This vulnerability was discovered and researched by Julien Ahrens from RCE Security. 3. VERSIONS AFFECTED ==================== XenAPI for XenForo v1.4.1 older versions may be affected too but were not tested. 4. INTRODUCTION =============== This Open Source REST API allows usage of several of XenForo's functions, such as authentication, user information and many other functions! (from the vendor's homepage) 5. VULNERABILITY DETAILS ======================== The plugin "XenAPI" for XenForo offers a REST Api with different functions to query and edit information from the XenForo database backend. Amongst those are "getGroup" and "getUsers", which can be called without authentication (default) and since the application does not properly validate and sanitize the "value" parameter, it is possible to inject arbitrary SQL commands into the XenForo backend database. The following proof-of-concepts exploit each vulnerable REST action and extract the hostname of the server: https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23 https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23 6. RISK ======= The vulnerability allows remote attackers to read sensitive information from the XenForo database like usernames and passwords. Since the affected REST actions do not require an authentication hash, these vulnerabilities can be exploited by an unauthenticated attacker. 7. SOLUTION =========== Update to the latest version v1.4.2 8. REPORT TIMELINE ================== 2016-05-20: Discovery of the vulnerability 2016-05-20: Notified vendor via contact address 2016-05-20: Vendor provides update for both issues 2016-05-21: Provided update fixes the reported issues 2016-05-21: Vendor publishes update 2016-05-23: Advisory released 9. REFERENCES ============= https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336 # 0day.today [2024-07-02] #