====================================================================== Secunia Research 31/10/2008 - Interact SQL Injection and Cross-Site Request Forgery - ====================================================================== Table of Contents Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10 ====================================================================== 1) Affected Software * Interact 2.4.1 NOTE: Other versions may also be affected. ====================================================================== 2) Severity Rating: Moderately Critical Impact: SQL Injection Cross-Site Request Forgery Where: Remote ====================================================================== 3) Vendor's Description of Software "A platform for the delivery and support of online learning. It differs from many other elearning platforms in that its aim is to concentrate on the social/interactive aspects of teaching and learning rather than the delivery of content to students." Product Link: http://sourceforge.net/projects/cce-interact ====================================================================== 4) Description of Vulnerability Secunia Research has discovered two vulnerabilities in Interact, which can be exploited by malicious people to conduct cross-site request forgery and SQL injection attacks. 1) Input passed to the "email_user_key" parameter in spaces/emailuser.php is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability allows e.g. retrieval of super administrator usernames and password hashes, but requires knowledge of the database table prefix. 2) The application allows users to perform certain actions via HTTP requests without performing any validity checks to verify the request. This can be exploited to e.g. add new super administrator users by enticing a logged-in super administrator to visit a malicious web page. ====================================================================== 5) Solution Apply the vendor's official patch for vulnerability #1: http://sourceforge.net/tracker/index.php?func=detail&aid=2208205& group_id=69681&atid=525406 Do not browse untrusted websites while logged in. ====================================================================== 6) Time Table 24/10/2008 - Vendor notified. 28/10/2008 - Vendor response. 30/10/2008 - The vendor publishes a patch for vulnerability #1 and states that he will wait with the CSRF fixes and won't fix the product's CSRF issues completely. 31/10/2008 - Public disclosure. ====================================================================== 7) Credits Discovered by Secunia Research. ====================================================================== 8) References The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2008-3867 (SQL injection) and CVE-2008-3868 (CSRF) for the vulnerabilities. ====================================================================== 9) About Secunia Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration: http://secunia.com/advisories/business_solutions/ Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security. http://secunia.com/advisories/ Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general: http://secunia.com/secunia_research/ Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions: http://secunia.com/corporate/jobs/ Secunia offers a FREE mailing list called Secunia Security Advisories: http://secunia.com/advisories/mailing_lists/ ====================================================================== 10) Verification Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2008-44/ Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/ ======================================================================