Boolean-based SQL injection Vulnerability in K2 Platforms

Type securityvulns
Reporter Securityvulns
Modified 2015-10-26T00:00:00


Title: Boolean-based SQL injection Vulnerability in K2 Platforms. Author: Wissam Bashour - Help AG Middle East Vendor: K2 Product: SmartForms, BlackPearl, K2 for sharepoint Version: 4.6.7 Tested Version: Version 4.6.7 Severity: HIGH CVE Reference: CVE-2015-7299

About the Product: K2 smartforms can pull and push information from line-of-business systems — SharePoint, CRM, SAP and others — and they can be used in the cloud with applications like The built-in K2 SmartObject technology allows true reusability of SmartForms components across multiple SmartForms, in multiple applications.


This Boolean-based SQL injection vulnerability enables an anonymous attacker to read sensitive data from the database, and recover the content of a given file present on the DBMS file system.

Vulnerability Class:

SQL injection -

How to Reproduce: (POC):

Host the attached code in a webserver. Then go for the xml parameter that calls the AJAXCall.ashx in the smart object for the SharePoint. You can see that the parameter doesn’t sanitize SQL queries.


Discovered: September 20, 2015 Vendor Notification: September 22, 2015 Advisory Publication: October 13, 2015 Public Disclosure: October 15, 2015


Upgrade to 4.6.10 or later will fix this issue. The new version number is 4.6.10 (4.12060.1690.2) Release date: June, 2015  


Wissam Bashour Associate Security Analyst Help AG Middle East

Proof of Concept Code:


[1] help AG middle East [2] [3] [4] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVEВ® is a dictionary of publicly known information security vulnerabilities and exposures.