lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <54A43F3F.9060500@karmainsecurity.com>
Date: Wed, 31 Dec 2014 19:23:59 +0100
From: Egidio Romano <research@...mainsecurity.com>
To: bugtraq@...urityfocus.com, fulldisclosure@...lists.org
Subject: [FD] [KIS-2014-14] Osclass <= 3.4.2 (Search::setJsonAlert) SQL
 Injection Vulnerability

-------------------------------------------------------------------
Osclass <= 3.4.2 (Search::setJsonAlert) SQL Injection Vulnerability
-------------------------------------------------------------------


[-] Software Link:

http://osclass.org/	


[-] Affected Versions:

Version 3.4.2 and probably prior versions.


[-] Vulnerability Description:

The vulnerability exists because user input passed through the "alert" parameter when subscribing
to a search alert is not properly validated before being stored into the DB (s_search field of
the oc_t_alerts table). This can be exploited by unauthenticated attackers to inject arbitrary
SQL commands via several parameters passed to the "Search::setJsonAlert()" method, which are
later used to make a SQL query within the "Search::doSearch()" method.

NOTE: this vulnerability might be abused to reset the administrator's password and consequently
gain access to the administration panel in order to achieve arbitrary PHP code execution.


[-] Solution:

Update to version 3.4.3 or later.


[-] Disclosure Timeline:

[29/09/2014] - Vendor notified
[29/09/2014] - Vendor response
[09/10/2014] - Version 3.4.3 released: http://blog.osclass.org/2014/10/09/osclass-3-4-3
[09/10/2014] - CVE number requested
[11/10/2014] - CVE number assigned
[31/12/2014] - Public disclosure


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2014-8083 to this vulnerability.


[-] Credits:

Vulnerability discovered by Egidio Romano.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2014-14


_______________________________________________
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists