Lucene search
Anthony DubuissezPACKETSTORM:121978HistoryJun 11, 2013 - 12:00 a.m.
Simple PHP Agenda 2.2.8 SQL Injection
2013-06-1100:00:00
Anthony Dubuissez
packetstormsecurity.com
19
EPSS
0.004
Percentile
74.3%
`=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request β 05/06/2013
- CVE Assign β 06/06/2013
- CVE Number β CVE-2013-3961
- Vendor notification β 06/06/2013
- Vendor reply β 10/06/2013
- Public disclosure β 11/06/2013
=============================================
I. VULNERABILITY ββββββββ-
iSQL in php-agenda <= 2.2.8
II. BACKGROUND ββββββββ-
Simple Php Agenda is Β« a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere
thereβs internet Β».
III. DESCRIPTION ββββββββ-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists
because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the
edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the
databases content.
A valid account is required.
IV. PROOF OF CONCEPT ββββββββ-
dumping login and password of the first admin
iSQL:
http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1
V. BUSINESS IMPACT ββββββββ-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.
VI. SYSTEMS AFFECTED ββββββββ-
Php-Agenda 2.2.8 and lower versions
VII. SOLUTION ββββββββ-
sanitize correctly the GET/POST parameter. (donβt rely on the mysql_real_escape_string() functions onlyβ¦)
VIII. REFERENCES ββββββββ-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/
IX. CREDITS ββββββββ-
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).
X. DISCLOSURE TIMELINE ββββββββ-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.
XI. LEGAL NOTICES ββββββββ-
The information contained within this advisory is supplied Β« as-is Β» with no warranties or guarantees of fitness of use
or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.
XII. FOLLOW US ββββββββ-
You can follow Webera, news and security advisories at:
On twitter : @erathemass
`
Related
exploitpack
exploitpack
Simple PHP Agenda 2.2.8 - edit_event.php?eventid SQL Injection
2013-06-11 00:00:00
exploitdb
exploitdb
Simple PHP Agenda 2.2.8 - 'edit_event.php?eventid' SQL Injection
2013-06-11 00:00:00
nvd
nvd
CVE-2013-3961
2014-03-11 19:37:02
cvelist
cvelist
CVE-2013-3961
2014-03-11 15:00:00
prion
prion
Sql injection
2014-03-11 19:37:00
cve
cve
CVE-2013-3961
2014-03-11 19:37:02