ID SECURITYVULNS:DOC:27908 Type securityvulns Reporter Securityvulns Modified 2012-04-09T00:00:00
Description
'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)
Mark Stanislav - mark.stanislav@gmail.com
I. DESCRIPTION
A vulnerability exists in admin/index.php that allows for an
unauthenticated user to export the entire application database by
accessing the 'Database Backup' method without restriction. Due to the
way sessions are handled, an attacker can then simply pass the
username and password-hash via cookies to assume the administrative
role without ever knowing the clear-text version of the password.
02/29/2012 - Initial vendor disclosure
02/29/2012 - Vendor response and commitment to fix
03/01/2012 - Vendor patched and released an updated version
03/22/2012 - Public disclosure
{"id": "SECURITYVULNS:DOC:27908", "bulletinFamily": "software", "title": "'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)", "description": "'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)\r\nMark Stanislav - mark.stanislav@gmail.com\r\n\r\n\r\nI. DESCRIPTION\r\n---------------------------------------\r\nA vulnerability exists in admin/index.php that allows for an\r\nunauthenticated user to export the entire application database by\r\naccessing the 'Database Backup' method without restriction. Due to the\r\nway sessions are handled, an attacker can then simply pass the\r\nusername and password-hash via cookies to assume the administrative\r\nrole without ever knowing the clear-text version of the password.\r\n\r\n\r\nII. TESTED VERSION\r\n---------------------------------------\r\n1.9.4\r\n\r\n\r\nIII. PoC EXPLOIT\r\n---------------------------------------\r\nhttp://localhost/phpGradeBook/admin/index.php?action=SaveSQL\r\n\r\n\r\nIV. SOLUTION\r\n---------------------------------------\r\nUpgrade to 1.9.5 or above.\r\n\r\n\r\nV. REFERENCES\r\n---------------------------------------\r\nhttp://sourceforge.net/projects/php-gradebook/\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670\r\n\r\n\r\nVI. TIMELINE\r\n---------------------------------------\r\n02/29/2012 - Initial vendor disclosure\r\n02/29/2012 - Vendor response and commitment to fix\r\n03/01/2012 - Vendor patched and released an updated version\r\n03/22/2012 - Public disclosure\r\n", "published": "2012-04-09T00:00:00", "modified": "2012-04-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:27908", "reporter": "Securityvulns", "references": [], "cvelist": ["CVE-2012-1670"], "type": "securityvulns", "lastseen": "2018-08-31T11:10:44", "edition": 1, "viewCount": 36, "enchantments": {"score": {"value": 6.7, "vector": "NONE"}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2012-1670"]}, {"type": "exploitdb", "idList": ["EDB-ID:18647"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1BA7DAA6E27169E2E13F7167E92D48E8"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111113"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:VULN:12316"]}, {"type": "seebug", "idList": ["SSV:72712"]}], "rev": 4}, "backreferences": {"references": [{"type": "cve", "idList": ["CVE-2012-1670"]}, {"type": "exploitdb", "idList": ["EDB-ID:18647"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:111113"]}, {"type": "seebug", "idList": ["SSV:72712"]}]}, "exploitation": null, "vulnersScore": 6.7}, "affectedSoftware": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1647589307, "score": 0}}
{"packetstorm": [{"lastseen": "2016-12-05T22:11:41", "description": "", "published": "2012-03-23T00:00:00", "type": "packetstorm", "title": "PHP Grade Book 1.9.4 SQL Database Export", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1670"], "modified": "2012-03-23T00:00:00", "id": "PACKETSTORM:111113", "href": "https://packetstormsecurity.com/files/111113/PHP-Grade-Book-1.9.4-SQL-Database-Export.html", "sourceData": "`'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670) \nMark Stanislav - mark.stanislav@gmail.com \n \n \nI. DESCRIPTION \n--------------------------------------- \nA vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password. \n \n \nII. TESTED VERSION \n--------------------------------------- \n1.9.4 \n \n \nIII. PoC EXPLOIT \n--------------------------------------- \nhttp://localhost/phpGradeBook/admin/index.php?action=SaveSQL \n \n \nIV. SOLUTION \n--------------------------------------- \nUpgrade to 1.9.5 or above. \n \n \nV. REFERENCES \n--------------------------------------- \nhttp://sourceforge.net/projects/php-gradebook/ \nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670 \n \n \nVI. TIMELINE \n--------------------------------------- \n02/29/2012 - Initial vendor disclosure \n02/29/2012 - Vendor response and commitment to fix \n03/01/2012 - Vendor patched and released an updated version \n03/22/2012 - Public disclosure \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/111113/phpgradebook-sqlexport.txt"}], "seebug": [{"lastseen": "2017-11-19T13:28:49", "description": "No description provided by source.", "published": "2014-07-01T00:00:00", "type": "seebug", "title": "PHP Grade Book 1.9.4 Unauthenticated SQL Database Export", "bulletinFamily": "exploit", "cvelist": ["CVE-2012-1670"], "modified": "2014-07-01T00:00:00", "href": "https://www.seebug.org/vuldb/ssvid-72712", "id": "SSV:72712", "sourceData": "\n 'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)\r\nMark Stanislav - mark.stanislav@gmail.com\r\n\r\n\r\nI. DESCRIPTION\r\n---------------------------------------\r\nA vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password.\r\n\r\n \r\nII. TESTED VERSION\r\n---------------------------------------\r\n1.9.4\r\n\r\n\r\nIII. PoC EXPLOIT\r\n---------------------------------------\r\nhttp://localhost/phpGradeBook/admin/index.php?action=SaveSQL\r\n\r\n\r\nIV. SOLUTION\r\n---------------------------------------\r\nUpgrade to 1.9.5 or above.\r\n\r\n\r\nV. REFERENCES\r\n---------------------------------------\r\nhttp://sourceforge.net/projects/php-gradebook/\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670\r\n\r\n\r\nVI. TIMELINE\r\n---------------------------------------\r\n02/29/2012 - Initial vendor disclosure\r\n02/29/2012 - Vendor response and commitment to fix\r\n03/01/2012 - Vendor patched and released an updated version\r\n03/22/2012 - Public disclosure\n ", "sourceHref": "https://www.seebug.org/vuldb/ssvid-72712", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}}], "cve": [{"lastseen": "2022-03-23T12:04:32", "description": "admin/index.php in PHP Grade Book before 1.9.5 BETA allows remote attackers to read the database via a SaveSQL action.", "cvss3": {}, "published": "2012-03-31T14:55:00", "type": "cve", "title": "CVE-2012-1670", "cwe": ["CWE-200"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1670"], "modified": "2017-12-13T02:29:00", "cpe": ["cpe:/a:phpgradebook:php_grade_book:1.9.3", "cpe:/a:phpgradebook:php_grade_book:1.9.4"], "id": "CVE-2012-1670", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-1670", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}, "cpe23": ["cpe:2.3:a:phpgradebook:php_grade_book:1.9.4:*:*:*:*:*:*:*", "cpe:2.3:a:phpgradebook:php_grade_book:1.9.3:*:*:*:*:*:*:*"]}], "exploitpack": [{"lastseen": "2020-04-01T19:04:40", "description": "\nPHP Grade Book 1.9.4 - SQL Database Export", "edition": 2, "published": "2012-03-22T00:00:00", "title": "PHP Grade Book 1.9.4 - SQL Database Export", "type": "exploitpack", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1670"], "modified": "2012-03-22T00:00:00", "id": "EXPLOITPACK:1BA7DAA6E27169E2E13F7167E92D48E8", "href": "", "sourceData": "'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)\nMark Stanislav - mark.stanislav@gmail.com\n\n\nI. DESCRIPTION\n---------------------------------------\nA vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password.\n\n \nII. TESTED VERSION\n---------------------------------------\n1.9.4\n\n\nIII. PoC EXPLOIT\n---------------------------------------\nhttp://localhost/phpGradeBook/admin/index.php?action=SaveSQL\n\n\nIV. SOLUTION\n---------------------------------------\nUpgrade to 1.9.5 or above.\n\n\nV. REFERENCES\n---------------------------------------\nhttp://sourceforge.net/projects/php-gradebook/\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670\n\n\nVI. TIMELINE\n---------------------------------------\n02/29/2012 - Initial vendor disclosure\n02/29/2012 - Vendor response and commitment to fix\n03/01/2012 - Vendor patched and released an updated version\n03/22/2012 - Public disclosure", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2022-01-13T06:41:31", "description": "", "cvss3": {}, "published": "2012-03-22T00:00:00", "type": "exploitdb", "title": "PHP Grade Book 1.9.4 - SQL Database Export", "bulletinFamily": "exploit", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "NONE", "integrityImpact": "NONE", "baseScore": 5.0, "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2012-1670", "2012-1670"], "modified": "2012-03-22T00:00:00", "id": "EDB-ID:18647", "href": "https://www.exploit-db.com/exploits/18647", "sourceData": "'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)\r\nMark Stanislav - mark.stanislav@gmail.com\r\n\r\n\r\nI. DESCRIPTION\r\n---------------------------------------\r\nA vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password.\r\n\r\n \r\nII. TESTED VERSION\r\n---------------------------------------\r\n1.9.4\r\n\r\n\r\nIII. PoC EXPLOIT\r\n---------------------------------------\r\nhttp://localhost/phpGradeBook/admin/index.php?action=SaveSQL\r\n\r\n\r\nIV. SOLUTION\r\n---------------------------------------\r\nUpgrade to 1.9.5 or above.\r\n\r\n\r\nV. REFERENCES\r\n---------------------------------------\r\nhttp://sourceforge.net/projects/php-gradebook/\r\nhttp://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670\r\n\r\n\r\nVI. TIMELINE\r\n---------------------------------------\r\n02/29/2012 - Initial vendor disclosure\r\n02/29/2012 - Vendor response and commitment to fix\r\n03/01/2012 - Vendor patched and released an updated version\r\n03/22/2012 - Public disclosure", "sourceHref": "https://www.exploit-db.com/download/18647", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "securityvulns": [{"lastseen": "2021-06-08T18:47:30", "description": "PHP inclusions, SQL injections, directory traversals, crossite scripting, information leaks, etc.", "edition": 2, "cvss3": {}, "published": "2012-04-09T00:00:00", "title": "Web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)", "type": "securityvulns", "bulletinFamily": "software", "cvss2": {}, "cvelist": ["CVE-2012-1089", "CVE-2012-1665", "CVE-2012-1670", "CVE-2012-1902", "CVE-2012-1469", "CVE-2012-1664", "CVE-2012-0215", "CVE-2012-1301", "CVE-2012-0047", "CVE-2012-1669", "CVE-2012-1673", "CVE-2012-1608", "CVE-2012-1607", "CVE-2012-1672", "CVE-2012-1671", "CVE-2012-1468", "CVE-2012-1606", "CVE-2012-1467", "CVE-2012-1190"], "modified": "2012-04-09T00:00:00", "id": "SECURITYVULNS:VULN:12316", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:12316", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}]}
