Vulners
Lucene search
b2evolution 4.1.6 SQL Injection Vulnerability
| Reporter | Title | Published | Views | Family All 14 |
|---|---|---|---|---|
 | CVE-2013-2945 | 7 May 201300:00 | – | circl |
 | CVE-2013-2945 | 2 Apr 201415:00 | – | cve |
 | CVE-2013-2945 | 2 Apr 201415:00 | – | cvelist |
 | b2evolution 4.1.6 - Multiple Vulnerabilities | 7 May 201300:00 | – | exploitdb |
 | EUVD-2013-2884 | 7 Oct 202500:30 | – | euvd |
 | b2evolution 4.1.6 - Multiple Vulnerabilities | 7 May 201300:00 | – | exploitpack |
 | SQL Injection in b2evolution | 10 Apr 201300:00 | – | htbridge |
 | CVE-2013-2945 | 2 Apr 201416:17 | – | nvd |
 | b2evolution 4.1.6 SQL Injection | 1 May 201300:00 | – | packetstorm |
 | Sql injection | 2 Apr 201416:17 | – | prion |
10
Product: b2evolution
Vendor: b2evolution Group
Vulnerable Version(s): 4.1.6 and probably prior
Tested Version: 4.1.6
Vendor Notification: April 10, 2013
Vendor Patch: April 29, 2013
Public Disclosure: May 1, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2945
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses[]=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to b2evolution 4.1.7
More Information:
http://b2evolution.net/news/2013/04/29/b2evolution-4-1-7-and-5-0-3
-----------------------------------------------------------------------------------------------
# 0day.today [2018-03-05] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 May 2013 00:00Current
0.3Low risk
Vulners AI Score0.3
EPSS0.00774