=============================== - Advisory - =============================== Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection Risk: High Date: 21.Aug.2019 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] : KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates time wasted searching for information. .: [ TECHNICAL DESCRIPTION ] :. KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated) area of the application .: [ ISSUE #1 ]:. Name: Multiple SQLi Severity: High CVE: CVE-2019-10687 Affected URL's from the admin area: https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters) https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD The publicly accesible URL, correspond to the print feature: https://SITE/index.php?View=print&id%5B%5D=PAYLOAD During the test, it was possible to dump users and hashes of the application as any other content from the DB. .: [ CHANGELOG ] :. * 21/Mar/2019: - Vuln discovered during engagement. * 21/Mar/2019: - KBP product security contacted. * 22/Mar/2019: - Replied providing workarround. * 30/Apr/2019: - New release of KBP released to public. * 21/Ago/2019: - Public disclosure. (Kudos to Evgeny Leontev, for the excelent communication and incident handling) .: [ SOLUTIONS ] :. Upgrade to version 7.0 or higher. .: [ REFERENCES ] :. [+] KBPublisher Release Notes https://www.kbpublisher.com/kb/release-notes-59/ [+] Tarlogic https://www.tarlogic.com/ [+] Black Arrow https://www.blackarrow.net -=EOF=-