[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: [CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability
- From: n0b0d13s@xxxxxxxxx
- Date: Wed, 2 May 2012 14:49:47 GMT
--------------------------------------------------------------------
OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability
--------------------------------------------------------------------
author...............: Egidio Romano aka EgiX
mail.................: n0b0d13s[at]gmail[dot]com
software link........: http://www.openconf.com/
affected versions....: from 4.00 to 4.11
[-] Vulnerable code in /author/edit.php:
104. // get sub
105. $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "`
WHERE `paperid`=" . safeSQLstr($_POST['pid'])) ...
106. if (mysql_num_rows($anr) != 1) {
107. err(oc_('Submission ID or password entered is
incorrect'));
108. }
109. $_POST = array_merge($_POST, mysql_fetch_assoc($anr));
User input passed through $_POST['pid'] seems correctly sanitised by the
safeSQLstr() function, but in the query
at line 105 single quotes aren't used before concatenate the user input
into the query string. This can be
exploited to conduct a Blind SQL Injection attack. Successful exploitation
of this vulnerability requires at
least a record into the 'paper' table, and 'Edit Submission' to be enabled.
[-] Disclosure timeline:
[27/01/2012] - Vulnerability discovered
[01/02/2012] - Issue reported to bugs(at)openconf.com
[02/02/2012] - Version 4.12 released: http://www.openconf.com/news/#20120202
[02/02/2012] - CVE number requested
[02/02/2012] - Assigned CVE-2012-1002
[02/05/2012] - Public disclosure
[-] Proof of concept:
http://www.exploit-db.com/exploits/18820/