84 lines
No EOL
2.5 KiB
Text
84 lines
No EOL
2.5 KiB
Text
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections
|
|
|
|
RCE Security Advisory
|
|
https://www.rcesecurity.com
|
|
|
|
|
|
1. ADVISORY INFORMATION
|
|
=======================
|
|
Product: XenAPI for XenForo
|
|
Vendor URL: github.com/Contex/XenAPI
|
|
Type: SQL Injection [CWE-89]
|
|
Date found: 2016-05-20
|
|
Date published: 2016-05-23
|
|
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
|
|
CVE: -
|
|
|
|
|
|
2. CREDITS
|
|
==========
|
|
This vulnerability was discovered and researched by Julien Ahrens from
|
|
RCE Security.
|
|
|
|
|
|
3. VERSIONS AFFECTED
|
|
====================
|
|
XenAPI for XenForo v1.4.1
|
|
older versions may be affected too but were not tested.
|
|
|
|
|
|
4. INTRODUCTION
|
|
===============
|
|
This Open Source REST API allows usage of several of XenForo's functions,
|
|
such as authentication, user information and many other functions!
|
|
|
|
(from the vendor's homepage)
|
|
|
|
|
|
5. VULNERABILITY DETAILS
|
|
========================
|
|
The plugin "XenAPI" for XenForo offers a REST Api with different functions
|
|
to query and edit information from the XenForo database backend. Amongst
|
|
those are "getGroup" and "getUsers", which can be called without
|
|
authentication (default) and since the application does not properly
|
|
validate and sanitize the "value" parameter, it is possible to inject
|
|
arbitrary SQL commands into the XenForo backend database.
|
|
|
|
The following proof-of-concepts exploit each vulnerable REST action
|
|
and extract the hostname of the server:
|
|
|
|
https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
|
|
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23
|
|
|
|
https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
|
|
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
|
|
CHAR)%2C0x20))%2CNULL%23
|
|
|
|
|
|
6. RISK
|
|
=======
|
|
The vulnerability allows remote attackers to read sensitive information
|
|
from the XenForo database like usernames and passwords. Since the affected
|
|
REST actions do not require an authentication hash, these vulnerabilities
|
|
can be exploited by an unauthenticated attacker.
|
|
|
|
|
|
7. SOLUTION
|
|
===========
|
|
Update to the latest version v1.4.2
|
|
|
|
|
|
8. REPORT TIMELINE
|
|
==================
|
|
2016-05-20: Discovery of the vulnerability
|
|
2016-05-20: Notified vendor via contact address
|
|
2016-05-20: Vendor provides update for both issues
|
|
2016-05-21: Provided update fixes the reported issues
|
|
2016-05-21: Vendor publishes update
|
|
2016-05-23: Advisory released
|
|
|
|
|
|
9. REFERENCES
|
|
=============
|
|
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
|
|
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336 |