Vulners
Lucene search
Simple PHP Agenda 2.2.8 - 'edit_event.php?eventid' SQL Injection
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | CVE-2013-3961 | 11 Mar 201415:00 | – | cve |
 | CVE-2013-3961 | 11 Mar 201415:00 | – | cvelist |
 | EUVD-2013-3893 | 7 Oct 202500:30 | – | euvd |
 | Simple PHP Agenda 2.2.8 - edit_event.php?eventid SQL Injection | 11 Jun 201300:00 | – | exploitpack |
 | CVE-2013-3961 | 11 Mar 201419:37 | – | nvd |
 | Simple PHP Agenda 2.2.8 SQL Injection | 11 Jun 201300:00 | – | packetstorm |
 | Sql injection | 11 Mar 201419:37 | – | prion |
=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request – 05/06/2013
- CVE Assign – 06/06/2013
- CVE Number – CVE-2013-3961
- Vendor notification – 06/06/2013
- Vendor reply – 10/06/2013
- Public disclosure – 11/06/2013
=============================================
I. VULNERABILITY ————————-
iSQL in php-agenda <= 2.2.8
II. BACKGROUND ————————-
Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere
there’s internet ».
III. DESCRIPTION ————————-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists
because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the
edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the
databases content.
A valid account is required.
IV. PROOF OF CONCEPT ————————-
dumping login and password of the first admin
iSQL:
http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1
V. BUSINESS IMPACT ————————-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.
VI. SYSTEMS AFFECTED ————————-
Php-Agenda 2.2.8 and lower versions
VII. SOLUTION ————————-
sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)
VIII. REFERENCES ————————-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/
IX. CREDITS ————————-
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).
X. DISCLOSURE TIMELINE ————————-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.
XI. LEGAL NOTICES ————————-
The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use
or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.
XII. FOLLOW US ————————-
You can follow Webera, news and security advisories at:
On twitter : @erathemassData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Jun 2013 00:00Current
6.7Medium risk
Vulners AI Score6.7
CVSS 26.5
EPSS0.01853