Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

XenAPI For XenForo 1.4.1 SQL Injection

🗓️ 24 May 2016 00:00:00Reported by Julien AhrensType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 219 Views

XenAPI For XenForo 1.4.1 SQL Injection allows remote attackers to read sensitive information from the XenForo database like usernames and passwords. Update to the latest version v1.4.2

Code
`RCE Security Advisory  
https://www.rcesecurity.com  
  
  
1. ADVISORY INFORMATION  
=======================  
Product: XenAPI for XenForo  
Vendor URL: github.com/Contex/XenAPI  
Type: SQL Injection [CWE-89]  
Date found: 2016-05-20  
Date published: 2016-05-23  
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)  
CVE: -  
  
  
2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.  
  
  
3. VERSIONS AFFECTED  
====================  
XenAPI for XenForo v1.4.1  
older versions may be affected too but were not tested.  
  
  
4. INTRODUCTION  
===============  
This Open Source REST API allows usage of several of XenForo's functions,  
such as authentication, user information and many other functions!  
  
(from the vendor's homepage)  
  
  
5. VULNERABILITY DETAILS  
========================  
The plugin "XenAPI" for XenForo offers a REST Api with different functions  
to query and edit information from the XenForo database backend. Amongst  
those are "getGroup" and "getUsers", which can be called without  
authentication (default) and since the application does not properly  
validate and sanitize the "value" parameter, it is possible to inject  
arbitrary SQL commands into the XenForo backend database.  
  
The following proof-of-concepts exploit each vulnerable REST action  
and extract the hostname of the server:  
  
https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT  
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23  
  
https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT  
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS  
CHAR)%2C0x20))%2CNULL%23  
  
  
6. RISK  
=======  
The vulnerability allows remote attackers to read sensitive information  
from the XenForo database like usernames and passwords. Since the affected  
REST actions do not require an authentication hash, these vulnerabilities  
can be exploited by an unauthenticated attacker.  
  
  
7. SOLUTION  
===========  
Update to the latest version v1.4.2  
  
  
8. REPORT TIMELINE  
==================  
2016-05-20: Discovery of the vulnerability  
2016-05-20: Notified vendor via contact address  
2016-05-20: Vendor provides update for both issues  
2016-05-21: Provided update fixes the reported issues  
2016-05-21: Vendor publishes update  
2016-05-23: Advisory released  
  
  
9. REFERENCES  
=============  
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf  
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
24 May 2016 00:00Current
0.1Low risk
Vulners AI Score0.1
xenapixenforosql injectionremote attackerssensitive informationusernamespasswordsupdatecve-2016-7054rce securityrest api
219