lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 13 Oct 2015 12:02:29 GMT
From: wissam.bashour@...pag.com
To: bugtraq@...urityfocus.com
Subject: Boolean-based SQL injection Vulnerability in K2 Platforms

Title: Boolean-based SQL injection Vulnerability in K2 Platforms.
Author: Wissam Bashour - Help AG Middle East
Vendor: K2
Product: SmartForms, BlackPearl, K2 for sharepoint 
Version: 4.6.7
Tested Version: Version 4.6.7
Severity: HIGH
CVE Reference: CVE-2015-7299

# About the Product: K2 smartforms can pull and push information from line-of-business systems — SharePoint, CRM, SAP and others — and they can be used in the cloud with applications like Salesforce.com. The built-in K2 SmartObject technology allows true reusability of SmartForms components across multiple SmartForms, in multiple applications.


# Description: 
This Boolean-based SQL injection vulnerability enables an anonymous attacker to read sensitive data from the database, and recover the content of a given file present on the DBMS file system.
 
# Vulnerability Class: 
SQL injection - https://www.owasp.org/index.php/SQL_Injection)

# How to Reproduce: (POC):
Host the attached code in a webserver. Then go for the xml parameter that calls the AJAXCall.ashx in the smart object for the SharePoint.
You can see that the parameter doesn’t sanitize SQL queries. 

# Disclosure: 
Discovered: September 20, 2015
Vendor Notification: September 22, 2015
Advisory Publication: October 13, 2015
Public Disclosure: October 15, 2015

# Solution: 
Upgrade to 4.6.10 or later will fix this issue.
The new version number is 4.6.10 (4.12060.1690.2)
Release date: June, 2015 
&#8195;

# credits: 
Wissam Bashour
Associate Security Analyst
Help AG Middle East

# Proof of Concept Code:
https://raw.githubusercontent.com/Siros96/Boolean-SQL-injection/master/PoC

#References:
[1] help AG middle East http://www.helpag.com/.
[2] http://www.k2.com/
[3] https://www.owasp.org/index.php/SQL_Injection
[4] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.

Powered by blists - more mailing lists