===============================
- Advisory -
===============================
Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection
Risk: High
Date: 21.Aug.2019
Author: Pedro Andujar
Twitter: @pandujar
.: [ INTRO ] :
KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.
.: [ TECHNICAL DESCRIPTION ] :.
KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application
.: [ ISSUE #1 ]:.
Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687
Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)
https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD
The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD
During the test, it was possible to dump users and hashes of the application as any other content from the DB.
.: [ CHANGELOG ] :.
* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.
(Kudos to Evgeny Leontev, for the excelent communication and incident handling)
.: [ SOLUTIONS ] :.
Upgrade to version 7.0 or higher.
.: [ REFERENCES ] :.
[+] KBPublisher Release Notes
https://www.kbpublisher.com/kb/release-notes-59/
[+] Tarlogic
https://www.tarlogic.com/
[+] Black Arrow
https://www.blackarrow.net
-=EOF=-