[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Improper Access Control in ArticleFR

Advisory ID: HTB23219
Product: ArticleFR
Vendor: Free Reprintables
Vulnerable Version(s): 11.06.2014 and probably prior
Tested Version: 11.06.2014
Advisory Publication:  June 11, 2014  [without technical details]
Vendor Notification: June 11, 2014 
Public Disclosure: July 30, 2014 
Vulnerability Type: Improper Access Control [CWE-284]
CVE Reference: CVE-2014-4170
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in ArticleFR, 
which can be exploited to execute arbitrary UPDATE SQL statements, alter 
information stored in database and gain complete control over the web site.


1) Improper Access Control in ArticleFR: CVE-2014-4170

The vulnerability exists due to insufficient access restrictions when accessing 
the "/data.php" script. A remote attacker can send a specially crafted HTTP GET 
request to vulnerable script and execute arbitrary UPDATE SQL commands in 
application’s database. Successful exploitation of the vulnerability allows 
modification of arbitrary database record. A remote attacker can modify or 
delete information stored in database and gain complete control over the 
application. 

The following exploitation example assigns administrative privileges to the 
user with "id=2":

http://[host]/data.php?pk=2&pkf=id&f=membership&value=admin&t=users

-----------------------------------------------------------------------------------------------

Solution:

Disclosure timeline:
2014-06-11 Vendor Alerted via emails and contact form.
2014-06-19 Vendor Alerted via emails and contact form.
2014-06-24 Vendor Alerted via contact form.
2014-06-26 Fix Requested via emails and contact forms.
2014-06-26 Issue created on GitHub.
2014-06-27 Vendor says that vulnerability is fixed.
2014-06-30 Requested version number with fixes.
2014-07-03 Vendor says that vulnerability will be fixed in upcoming version 
3.0.x
2014-07-07 Fix Requested via emails and contact forms.
2014-07-16 Vulnerability still exist in the latest version 3.0.2. This 
information was brought to vendor.
2014-07-16 Vendor disagrees that vulnerability still exist.
2014-07-27 Vendor locked and limited conversation to collaborators on GitHub.
2014-07-29 Vulnerability still exist in the latest version 3.0.4.
2014-07-30 Public disclosure with self-written patch.

Currently we are not aware of any official solution for this vulnerability.
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is 
available here: https://www.htbridge.com/advisory/HTB23219-patch.zip

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23219 - 
https://www.htbridge.com/advisory/HTB23219 - Improper Access Control in 
ArticleFR.
[2] ArticleFR - http://freereprintables.com/ - Free Article Directory CMS 
System .
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.