lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 11 Jun 2013 17:57:33 +0200
From: Anthony Dubuissez <anthony.dubuissez@...era.fr>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
 "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>
Subject: [CVE-2013-3961]  iSQL in php-agenda <= 2.2.8

=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request – 05/06/2013
- CVE Assign – 06/06/2013
- CVE Number – CVE-2013-3961
- Vendor notification – 06/06/2013
- Vendor reply – 10/06/2013
- Public disclosure – 11/06/2013
=============================================

I. VULNERABILITY ————————-
iSQL in php-agenda <= 2.2.8

II. BACKGROUND ————————-
Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere there’s internet ».

III. DESCRIPTION ————————-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the databases content.
A valid account is required.

IV. PROOF OF CONCEPT ————————-
dumping login and password of the first admin
iSQL: http://vulnerablesite.com/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1

V. BUSINESS IMPACT ————————-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.

VI. SYSTEMS AFFECTED ————————-
Php-Agenda 2.2.8 and lower versions

VII. SOLUTION ————————-
sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)

VIII. REFERENCES ————————-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/

IX. CREDITS ————————- 
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).

X. DISCLOSURE TIMELINE ————————-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.

XI. LEGAL NOTICES ————————-
The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.

XII. FOLLOW US ————————-
You can follow Webera, news and security advisories at:
On twitter : @erathemass
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists