Full Disclosure mailing list archives
[CVE-2013-3961] iSQL in php-agenda <= 2.2.8
From: Anthony Dubuissez <anthony.dubuissez () webera fr>
Date: Tue, 11 Jun 2013 17:57:33 +0200
============================================= WEBERA ALERT ADVISORY 02 - Discovered by: Anthony Dubuissez - Severity: high - CVE Request – 05/06/2013 - CVE Assign – 06/06/2013 - CVE Number – CVE-2013-3961 - Vendor notification – 06/06/2013 - Vendor reply – 10/06/2013 - Public disclosure – 11/06/2013 ============================================= I. VULNERABILITY ————————- iSQL in php-agenda <= 2.2.8 II. BACKGROUND ————————- Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere there’s internet ». III. DESCRIPTION ————————- Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the databases content. A valid account is required. IV. PROOF OF CONCEPT ————————- dumping login and password of the first admin iSQL: http://vulnerablesite.com/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1 V. BUSINESS IMPACT ————————- iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account. VI. SYSTEMS AFFECTED ————————- Php-Agenda 2.2.8 and lower versions VII. SOLUTION ————————- sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…) VIII. REFERENCES ————————- http://www.webera.fr/advisory-02-php-agenda-isql-exploit/ IX. CREDITS ————————- the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr). X. DISCLOSURE TIMELINE ————————- June 05, 2013: Vulnerability acquired by Webera June 06, 2013: Sent to vendor. June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9 June 11, 2013: Advisory published and sent to lists. XI. LEGAL NOTICES ————————- The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information. XII. FOLLOW US ————————- You can follow Webera, news and security advisories at: On twitter : @erathemass _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- [CVE-2013-3961] iSQL in php-agenda <= 2.2.8 Anthony Dubuissez (Jun 11)