KBPublisher 6.0.2.1 SQL Injection

2019.08.22
Credit: Pedro Andujar
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-89


CVSS Base Score: 7.5/10
Impact Subscore: 6.4/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: Partial
Availability impact: Partial

=============================== - Advisory - =============================== Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection Risk: High Date: 21.Aug.2019 Author: Pedro Andujar Twitter: @pandujar .: [ INTRO ] : KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates time wasted searching for information. .: [ TECHNICAL DESCRIPTION ] :. KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated) area of the application .: [ ISSUE #1 ]:. Name: Multiple SQLi Severity: High CVE: CVE-2019-10687 Affected URL's from the admin area: https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters) https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD The publicly accesible URL, correspond to the print feature: https://SITE/index.php?View=print&id%5B%5D=PAYLOAD During the test, it was possible to dump users and hashes of the application as any other content from the DB. .: [ CHANGELOG ] :. * 21/Mar/2019: - Vuln discovered during engagement. * 21/Mar/2019: - KBP product security contacted. * 22/Mar/2019: - Replied providing workarround. * 30/Apr/2019: - New release of KBP released to public. * 21/Ago/2019: - Public disclosure. (Kudos to Evgeny Leontev, for the excelent communication and incident handling) .: [ SOLUTIONS ] :. Upgrade to version 7.0 or higher. .: [ REFERENCES ] :. [+] KBPublisher Release Notes https://www.kbpublisher.com/kb/release-notes-59/ [+] Tarlogic https://www.tarlogic.com/ [+] Black Arrow https://www.blackarrow.net -=EOF=-


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top