Simple PHP Agenda 2.2.8 - 'edit_event.php?eventid' SQL Injection

EDB-ID:

26136

CVE:

2013-3961

EDB Verified:

Author:

Anthony Dubuissez

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2013-06-11

Vulnerable App: 
=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request – 05/06/2013
- CVE Assign – 06/06/2013
- CVE Number – CVE-2013-3961
- Vendor notification – 06/06/2013
- Vendor reply – 10/06/2013
- Public disclosure – 11/06/2013
=============================================

I. VULNERABILITY ————————-
iSQL in php-agenda <= 2.2.8

II. BACKGROUND ————————-
Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere 
there’s internet ».

III. DESCRIPTION ————————-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists 
because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the 
edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the 
databases content.
A valid account is required.

IV. PROOF OF CONCEPT ————————-
dumping login and password of the first admin
iSQL: 
http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1

V. BUSINESS IMPACT ————————-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.

VI. SYSTEMS AFFECTED ————————-
Php-Agenda 2.2.8 and lower versions

VII. SOLUTION ————————-
sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)

VIII. REFERENCES ————————-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/

IX. CREDITS ————————- 
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).

X. DISCLOSURE TIMELINE ————————-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.

XI. LEGAL NOTICES ————————-
The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use 
or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.

XII. FOLLOW US ————————-
You can follow Webera, news and security advisories at:
On twitter : @erathemass
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services