PHP Grade Book 1.9.4 - SQL Database Export

EDB-ID:

18647

CVE:

2012-1670

EDB Verified:

Author:

Mark Stanislav

Type:

webapps

Exploit:   /  

Platform:

PHP

Date:

2012-03-22

Vulnerable App: 
'PHP Grade Book' Unauthenticated SQL Database Export (CVE-2012-1670)
Mark Stanislav - mark.stanislav@gmail.com


I. DESCRIPTION
---------------------------------------
A vulnerability exists in admin/index.php that allows for an unauthenticated user to export the entire application database by accessing the 'Database Backup' method without restriction. Due to the way sessions are handled, an attacker can then simply pass the username and password-hash via cookies to assume the administrative role without ever knowing the clear-text version of the password.

 
II. TESTED VERSION
---------------------------------------
1.9.4


III. PoC EXPLOIT
---------------------------------------
http://localhost/phpGradeBook/admin/index.php?action=SaveSQL


IV. SOLUTION
---------------------------------------
Upgrade to 1.9.5 or above.


V. REFERENCES
---------------------------------------
http://sourceforge.net/projects/php-gradebook/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-1670


VI. TIMELINE
---------------------------------------
02/29/2012 - Initial vendor disclosure
02/29/2012 - Vendor response and commitment to fix
03/01/2012 - Vendor patched and released an updated version
03/22/2012 - Public disclosure
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services