- Advisory -
Tittle: KBPublisher 18.104.22.168 - Multiple SQL Injection
Author: Pedro Andujar
.: [ INTRO ] :
KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.
.: [ TECHNICAL DESCRIPTION ] :.
KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application
.: [ ISSUE #1 ]:.
Name: Multiple SQLi
Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)
The publicly accesible URL, correspond to the print feature:
During the test, it was possible to dump users and hashes of the application as any other content from the DB.
.: [ CHANGELOG ] :.
* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.
(Kudos to Evgeny Leontev, for the excelent communication and incident handling)
.: [ SOLUTIONS ] :.
Upgrade to version 7.0 or higher.
.: [ REFERENCES ] :.
[+] KBPublisher Release Notes
[+] Black Arrow