Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities

2015-04-07T00:00:00
ID ZSL-2015-5238
Type zeroscience
Reporter Gjoko Krstic
Modified 2015-04-07T00:00:00

Description

Title: Balero CMS v0.7.2 Multiple Blind SQL Injection Vulnerabilities
Advisory ID: ZSL-2015-5238
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 07.04.2015

Summary

Balero CMS is an open source project that can help you manage the page of your company with just a few guided steps, minimizing the costs that many companies make to have your advertising medium and/or portal.

Description

The application suffers from multiple blind SQL injection vulnerabilities when input is passed to several POST parameters thru their affected modules which are not properly sanitised before being returned to the user or used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Vendor

BaleroCMS Software - <http://www.balerocms.com>

Affected Version

0.7.2

Tested On

Apache 2.4.10 (Win32)
PHP 5.6.3
MySQL 5.6.21

Vendor Status

[04.03.2015] Vulnerabilities discovered.
[13.03.2015] Contact with the vendor.
[13.03.2015] Vendor responds asking more details.
[14.03.2015] Sent details to the vendor.
[15.03.2015] Vendor confirms issues, working on fix.
[15.03.2015] Vendor schedules patch release date.
[03.04.2015] Asked vendor for status update.
[03.04.2015] Vendor finishing core update, preparing patch.
[05.04.2015] Vendor releases version 0.8.3 to address these issues.
[07.04.2015] Coordinated public security advisory released.

PoC

balerocms_bsqli.txt

Credits

Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>

References

[1] <http://www.balerocms.com/blog/main/id-190>
[2] <http://www.balerocms.com/blog/main/id-193>
[3] <https://github.com/neblina-software/balerocms-src/releases>
[4] <http://packetstormsecurity.com/files/131323>
[5] <http://cxsecurity.com/issue/WLB-2015040045>
[6] <https://exchange.xforce.ibmcloud.com/vulnerabilities/102062>
[7] <http://www.exploit-db.com/exploits/36675/>
[8] <http://osvdb.org/show/osvdb/120389>
[9] <http://osvdb.org/show/osvdb/120390>
[10] <http://osvdb.org/show/osvdb/120391>
[11] <http://osvdb.org/show/osvdb/120392>

Changelog

[07.04.2015] - Initial release
[08.04.2015] - Added reference [4], [5], [6] and [7]
[09.04.2015] - Added reference [8], [9], [10] and [11]

Contact

Zero Science Lab

Web: <http://www.zeroscience.mk>
e-mail: lab@zeroscience.mk

                                        
                                            &lt;html&gt;&lt;head&gt;&lt;title&gt;403 Nothing to see.&lt;/title&gt;
&lt;link rel="Shortcut Icon" href="favicon.ico" type="image/x-icon"&gt;
&lt;style type="text/css"&gt;
&lt;!--
body {
	background-color: #000;
}
body,td,th {
	font-family: Verdana, Geneva, sans-serif;
}
a:link {
	color: #008FEF;
	text-decoration: none;
}
a:visited {
	color: #008FEF;
	text-decoration: none;
}
a:hover {
	text-decoration: underline;
	color: #666;
}
a:active {
	text-decoration: none;
}
--&gt;
&lt;/style&gt;
&lt;/head&gt;
&lt;body bgcolor=black&gt;
&lt;center&gt;
&lt;font color="#7E88A3" size="2"&gt;
&lt;br /&gt;&lt;br /&gt;
&lt;h1&gt;403 Nothing to see.&lt;/h1&gt;

You do not have the powah for this request /403.shtml&lt;br /&gt;&lt;br /&gt;
&lt;font size="2"&gt;&lt;a href="https://www.zeroscience.mk"&gt;https://www.zeroscience.mk&lt;/a&gt;&lt;/font&gt;
&lt;/font&gt;&lt;/center&gt;
&lt;/body&gt;&lt;/html&gt;