bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/php/webapps/26136.txt
Offensive Security b4c96a5864 DB: 2021-09-03 
28807 changes to exploits/shellcodes
2021-09-03 20:19:21 +00:00

59 lines
No EOL
2.5 KiB
Text
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request 05/06/2013
- CVE Assign 06/06/2013
- CVE Number CVE-2013-3961
- Vendor notification 06/06/2013
- Vendor reply 10/06/2013
- Public disclosure 11/06/2013
=============================================
I. VULNERABILITY ————————-
iSQL in php-agenda <= 2.2.8
II. BACKGROUND ————————-
Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere
theres internet ».
III. DESCRIPTION ————————-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists
because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the
edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the
databases content.
A valid account is required.
IV. PROOF OF CONCEPT ————————-
dumping login and password of the first admin
iSQL:
http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1
V. BUSINESS IMPACT ————————-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.
VI. SYSTEMS AFFECTED ————————-
Php-Agenda 2.2.8 and lower versions
VII. SOLUTION ————————-
sanitize correctly the GET/POST parameter. (dont rely on the mysql_real_escape_string() functions only…)
VIII. REFERENCES ————————-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/
IX. CREDITS ————————-
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).
X. DISCLOSURE TIMELINE ————————-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.
XI. LEGAL NOTICES ————————-
The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use
or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.
XII. FOLLOW US ————————-
You can follow Webera, news and security advisories at:
On twitter : @erathemass
Reference in a new issue View git blame Copy permalink