XenAPI 1.4.1 for XenForo – Multiple SQL Injections

• Exploit Database
• 22 阅读

• 作者： Julien Ahrens
  日期： 2016-05-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/39849/

• [RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
  
  RCE Security Advisory
  https://www.rcesecurity.com
  
  
  1. ADVISORY INFORMATION
  =======================
  Product:XenAPI for XenForo
  Vendor URL: github.com/Contex/XenAPI
  Type: SQL Injection [CWE-89]
  Date found: 2016-05-20
  Date published: 2016-05-23
  CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
  CVE:-
  
  
  2. CREDITS
  ==========
  This vulnerability was discovered and researched by Julien Ahrens from
  RCE Security.
  
  
  3. VERSIONS AFFECTED
  ====================
  XenAPI for XenForo v1.4.1
  older versions may be affected too but were not tested.
  
  
  4. INTRODUCTION
  ===============
  This Open Source REST API allows usage of several of XenForo's functions, 
  such as authentication, user information and many other functions!
  
  (from the vendor's homepage)
  
  
  5. VULNERABILITY DETAILS
  ========================
  The plugin "XenAPI" for XenForo offers a REST Api with different functions
  to query and edit information from the XenForo database backend. Amongst 
  those are "getGroup" and "getUsers", which can be called without 
  authentication (default) and since the application does not properly 
  validate and sanitize the "value" parameter, it is possible to inject 
  arbitrary SQL commands into the XenForo backend database.
  
  The following proof-of-concepts exploit each vulnerable REST action
  and extract the hostname of the server:
  
  https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
  CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23
  
  https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
  NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
  CHAR)%2C0x20))%2CNULL%23
  
  
  6. RISK
  =======
  The vulnerability allows remote attackers to read sensitive information 
  from the XenForo database like usernames and passwords. Since the affected 
  REST actions do not require an authentication hash, these vulnerabilities 
  can be exploited by an unauthenticated attacker.
  
  
  7. SOLUTION
  ===========
  Update to the latest version v1.4.2
  
  
  8. REPORT TIMELINE
  ==================
  2016-05-20: Discovery of the vulnerability
  2016-05-20: Notified vendor via contact address
  2016-05-20: Vendor provides update for both issues
  2016-05-21: Provided update fixes the reported issues
  2016-05-21: Vendor publishes update
  2016-05-23: Advisory released
  
  
  9. REFERENCES
  =============
  https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
  https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336