Simple PHP Agenda 2.2.8 SQL Injection

2013.06.12
Credit: Anthony Dubuissez
Risk: Medium
Local: No
Remote: Yes
CVE: CVE-2013-3961
CWE: CWE-89


CVSS Base Score: 6.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 8/10
Exploit range: Remote
Attack complexity: Low
Authentication: Single time
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

============================================= WEBERA ALERT ADVISORY 02 - Discovered by: Anthony Dubuissez - Severity: high - CVE Request ? 05/06/2013 - CVE Assign ? 06/06/2013 - CVE Number ? CVE-2013-3961 - Vendor notification ? 06/06/2013 - Vendor reply ? 10/06/2013 - Public disclosure ? 11/06/2013 ============================================= I. VULNERABILITY ????????- iSQL in php-agenda <= 2.2.8 II. BACKGROUND ????????- Simple Php Agenda is ? a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere there?s internet ?. III. DESCRIPTION ????????- Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the databases content. A valid account is required. IV. PROOF OF CONCEPT ????????- dumping login and password of the first admin iSQL: http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1 V. BUSINESS IMPACT ????????- iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account. VI. SYSTEMS AFFECTED ????????- Php-Agenda 2.2.8 and lower versions VII. SOLUTION ????????- sanitize correctly the GET/POST parameter. (don?t rely on the mysql_real_escape_string() functions only?) VIII. REFERENCES ????????- http://www.webera.fr/advisory-02-php-agenda-isql-exploit/ IX. CREDITS ????????- the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr). X. DISCLOSURE TIMELINE ????????- June 05, 2013: Vulnerability acquired by Webera June 06, 2013: Sent to vendor. June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9 June 11, 2013: Advisory published and sent to lists. XI. LEGAL NOTICES ????????- The information contained within this advisory is supplied ? as-is ? with no warranties or guarantees of fitness of use or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information. XII. FOLLOW US ????????- You can follow Webera, news and security advisories at: On twitter : @erathemass

References:

http://www.webera.fr/advisory-02-php-agenda-isql-exploit/


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top