exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Simple PHP Agenda 2.2.8 SQL Injection

Simple PHP Agenda 2.2.8 SQL Injection
Posted Jun 11, 2013
Authored by Anthony Dubuissez

Simple PHP Agenda version 2.2.8 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, php, sql injection
advisories | CVE-2013-3961
SHA-256 | c1c20f33403252579505d8ca0abfdad1f12c1b4453401b5a08734774fc4d7a9b

Simple PHP Agenda 2.2.8 SQL Injection

Change Mirror Download
=============================================
WEBERA ALERT ADVISORY 02
- Discovered by: Anthony Dubuissez
- Severity: high
- CVE Request – 05/06/2013
- CVE Assign – 06/06/2013
- CVE Number – CVE-2013-3961
- Vendor notification – 06/06/2013
- Vendor reply – 10/06/2013
- Public disclosure – 11/06/2013
=============================================

I. VULNERABILITY ————————-
iSQL in php-agenda <= 2.2.8

II. BACKGROUND ————————-
Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere
there’s internet ».

III. DESCRIPTION ————————-
Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists
because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the
edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the
databases content.
A valid account is required.

IV. PROOF OF CONCEPT ————————-
dumping login and password of the first admin
iSQL:
http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1

V. BUSINESS IMPACT ————————-
iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.

VI. SYSTEMS AFFECTED ————————-
Php-Agenda 2.2.8 and lower versions

VII. SOLUTION ————————-
sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)

VIII. REFERENCES ————————-
http://www.webera.fr/advisory-02-php-agenda-isql-exploit/

IX. CREDITS ————————-
the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).

X. DISCLOSURE TIMELINE ————————-
June 05, 2013: Vulnerability acquired by Webera
June 06, 2013: Sent to vendor.
June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9
June 11, 2013: Advisory published and sent to lists.

XI. LEGAL NOTICES ————————-
The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use
or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.

XII. FOLLOW US ————————-
You can follow Webera, news and security advisories at:
On twitter : @erathemass

Login or Register to add favorites

File Archive:

August 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Aug 1st
    20 Files
  • 2
    Aug 2nd
    4 Files
  • 3
    Aug 3rd
    6 Files
  • 4
    Aug 4th
    55 Files
  • 5
    Aug 5th
    16 Files
  • 6
    Aug 6th
    0 Files
  • 7
    Aug 7th
    0 Files
  • 8
    Aug 8th
    13 Files
  • 9
    Aug 9th
    13 Files
  • 10
    Aug 10th
    34 Files
  • 11
    Aug 11th
    16 Files
  • 12
    Aug 12th
    5 Files
  • 13
    Aug 13th
    0 Files
  • 14
    Aug 14th
    0 Files
  • 15
    Aug 15th
    25 Files
  • 16
    Aug 16th
    0 Files
  • 17
    Aug 17th
    0 Files
  • 18
    Aug 18th
    0 Files
  • 19
    Aug 19th
    0 Files
  • 20
    Aug 20th
    0 Files
  • 21
    Aug 21st
    0 Files
  • 22
    Aug 22nd
    0 Files
  • 23
    Aug 23rd
    0 Files
  • 24
    Aug 24th
    0 Files
  • 25
    Aug 25th
    0 Files
  • 26
    Aug 26th
    0 Files
  • 27
    Aug 27th
    0 Files
  • 28
    Aug 28th
    0 Files
  • 29
    Aug 29th
    0 Files
  • 30
    Aug 30th
    0 Files
  • 31
    Aug 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close