bugtraq - articleFR CMS 3.0.5 - SQL injection vulnerability

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite: Windows password security audit tool. GUI, reports in PDF.

[<prev] [next>] [day] [month] [year] [list]

Date: Tue, 3 Feb 2015 10:11:04 +0700
From: "Tien Tran Dinh" <tien.d.tran@...s.vn>
To: <bugtraq@...urityfocus.com>
Subject: articleFR CMS 3.0.5 - SQL injection vulnerability

#Vulnerability title: articleFR CMS 3.0.5 - SQL injection vulnerability
#Product: articleFR
#Vendor: http://freereprintables.com
#Affected version: version 3.0.5
#Download link: https://github.com/articlefr/articleFR
#Fixed version: N/A
#CVE ID: CVE-2015-1364
#Author: Tran Dinh Tien (tien.d.tran@...s.vn) & ITAS Team (www.itas.vn)


::PROOF OF CONCEPT::

+ REQUEST:
POST /articlefr/register/ HTTP/1.1
Host: target.org
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101
Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://target.org/articlefr/register/
Cookie: _ga=GA1.2.884814947.1419214773;
__unam=bd22dea-14a6fcadd31-42cba495-31; GEAR=local-5422433b500446ead50002d4;
PHPSESSID=8a9r8t1d5g9veogj6er9fvev63; _gat=1
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 103

username=[SQL INJECTION
HERE]&email=test2%40itas.vn&name=test&password=123123&submit=register


- Vulnerable file: articleFR/system/profile.functions.php
- Vulnerable parameter: username
- Query: SELECT id, username, name, password, email, website, blog, date,
isactive, activekey, membership FROM users WHERE username ='[Injection
HERE]'
- Vulnerable function: 
function getProfile($_username, $_connection) {
        $_q = "SELECT id, username, name, password, email, website, blog,
date, isactive, activekey, membership FROM users WHERE username = '" .
$_username . "'";
        $_result = single_resulti($_q, $_connection);

        $_retval['id'] = $_result['id'];
        $_retval['name'] = $_result['name'];
        $_retval['username'] = $_result['username'];
        $_retval['password'] = $_result['password'];
        $_retval['email'] = $_result['email'];
        $_retval['website'] = $_result['website'];
        $_retval['blog'] = $_result['blog'];
        $_retval['date'] = $_result['date'];
        $_retval['isactive'] = $_result['isactive'];
        $_retval['activekey'] = $_result['activekey'];
        $_retval['membership'] = $_result['membership'];

        return $_retval;
} 




::DISCLOSURE::
+ 12/09/2014: Contact to vendor - vendor did not reply
+ 12/11/2014: Contact to vendor - vendor did not reply
+ 12/22/2014: Contact to vendor - vendor replied
+ 12/23/2014: Send the detail vulnerability to vendor - vendor did not reply
+ 01/21/2015: Public information

::REFERENCE::
-
http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in
-articlefr-cms-72.html
- https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1364

::DISCLAIMER::
THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF
ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY
IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE
OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS
A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION
OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS,
AND AT THE USER'S OWN RISK.

-------------------
Sincerely,

Tien Tran Dinh (tien.d.tran@...s.vn)