CatBot 0.4.2 SQL Injection Vulnerability

Document Title:
===============
CatBot v0.4.2 (PHP) - SQL Injection Vulnerability

Product & Service Introduction:
===============================
CatBot is a simple, HTML/PHP/MySQL based chatterbot that`s easy to set up and use. He comes equipped with a few commands, as well as a 
basic `learning` ability. With some moderate tweaking, he could make a very nice browser-based helpdesk assistant.

( Copy of the vendor Homepage: http://sourceforge.net/projects/catbot/ )

Technical Details & Description:
================================
A sql injection web vulnerability has been discovered in the official Lazarus Guestbook v1.22 content management system.
The vulnerability allows an attacker to inject sql commands by usage of a vulnerable value to compromise the application dbms.

The sql injection web vulnerability is located in the `lastcatbot` value of the `index.php` file. Remote attackers are 
able to inject own sql commands by usage of vulnerable `lastcatbot` value in the update and pending POST method request. 
A successful attack requires to manipulate a POST method request with vulnerable `lastcatbot` value. The injection is a 
classic order-by sql injection web vulnerability.

The security risk of the sql injection vulnerability is estimated as high with a cvss (common vulnerability scoring system) count of 7.3.
Exploitation of the application-side web vulnerability requires no privileged web-application user account and no user interaction.
Successful exploitation of the security vulnerability results in content management system compromise and database management system compromise.

Request Method(s):
        [+] POST

Vulnerable Module(s):
        [+] Index & Update

Vulnerable Files(s):
        [+] index.php

Vulnerable Parameter(s):
        [+] lastcatbot


Proof of Concept (PoC):
=======================
The sql injection vulnerability can be exploited by remote attackers without privileged application user account and user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.

Vulnerable File(s): /index.php

Vulnerable Source:
$result = mysql_query($query);
$query = "SELECT * FROM `pending` WHERE `trigger` =
'$lastcatbot' AND `reply` = '$usermessage';";
$lastcatbot = "Connect!";  // if(isset($_POST)) else ,
$lastcatbot = $_POST['lastcatbot'];  //
if(isset($_POST)),  - User input

Note: The request sends a POST method request with the vulnerable `lastcastbot` value were the attacker can inject the own sql commands!

... the regular update action is also vulnerable to the same issue.

Vulnerable Source:
$result = mysql_query($query);
$query = "UPDATE `pending` SET rnumber=rnumber+1 WHERE
`trigger` = '$lastcatbot';";
$lastcatbot = "Connect!";  // if(isset($_POST)) else ,
$lastcatbot = $_POST['lastcatbot'];  // if(isset($_POST)),

Note: A similar UPDATE call can be easily exploited by intercepting the request!


Solution - Fix & Patch:
=======================
The vulnerability can be patched by a secure aprse and encode of the vulnerable `lastcastbot` value.
Use a prepared statement or escape to filter malicious inputs.

#  0day.today [2018-02-16]  #