Advisory 02 php agenda iSQL exploit

Mehdi Nedjar

il y a 11 ans

=========
WEBERA ALERT ADVISORY 02

– Discovered by: Anthony Dubuissez
– Severity: high
– CVE Request – 05/06/2013
– CVE Assign – 06/06/2013
– CVE Number – CVE-2013-3961
– Vendor notification – 06/06/2013
– Vendor reply – 10/06/2013
– Public disclosure – 11/06/2013
=========

I. VULNERABILITY —————————

iSQL in php-agenda <= 2.2.8

II. BACKGROUND —————————

Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere there’s internet ».

III. DESCRIPTION —————————

Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the databases content.

A valid account is required.

IV. PROOF OF CONCEPT —————————

dumping login and password of the first admin
iSQL: http://vulnerablesite.com/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1

V. BUSINESS IMPACT —————————

iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.

VI. SYSTEMS AFFECTED —————————

Php-Agenda 2.2.8 and lower versions

VII. SOLUTION —————————

sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)

VIII. REFERENCES —————————

http://webera.fr/advisory-02-php-agenda-isql-exploit/

IX. CREDITS —————————

the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).

X. DISCLOSURE TIMELINE —————————

June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.

XI. LEGAL NOTICES —————————

The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.

XII. FOLLOW US —————————

You can follow Webera, news and security advisories at:

On twitter : @erathemass