[prev in list] [next in list] [prev in thread] [next in thread] 

List:       bugtraq
Subject:    Improper Access Control in ArticleFR
From:       High-Tech Bridge Security Research <advisory () htbridge ! com>
Date:       2014-07-30 11:51:52
Message-ID: 20140730115152.E996E2D60075 () htbridge ! ch
[Download RAW message or body]

Advisory ID: HTB23219
Product: ArticleFR
Vendor: Free Reprintables
Vulnerable Version(s): 11.06.2014 and probably prior
Tested Version: 11.06.2014
Advisory Publication:  June 11, 2014  [without technical details]
Vendor Notification: June 11, 2014 
Public Disclosure: July 30, 2014 
Vulnerability Type: Improper Access Control [CWE-284]
CVE Reference: CVE-2014-4170
Risk Level: High 
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Solution Available
Discovered and Provided: High-Tech Bridge Security Research Lab ( \
https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------


Advisory Details:

High-Tech Bridge Security Research Lab discovered vulnerability in ArticleFR, which \
can be exploited to execute arbitrary UPDATE SQL statements, alter information stored \
in database and gain complete control over the web site.


1) Improper Access Control in ArticleFR: CVE-2014-4170

The vulnerability exists due to insufficient access restrictions when accessing the \
"/data.php" script. A remote attacker can send a specially crafted HTTP GET request \
to vulnerable script and execute arbitrary UPDATE SQL commands in application's \
database. Successful exploitation of the vulnerability allows modification of \
arbitrary database record. A remote attacker can modify or delete information stored \
in database and gain complete control over the application. 

The following exploitation example assigns administrative privileges to the user with \
"id=2":

http://[host]/data.php?pk=2&pkf=id&f=membership&value=admin&t=users

-----------------------------------------------------------------------------------------------


Solution:

Disclosure timeline:
2014-06-11 Vendor Alerted via emails and contact form.
2014-06-19 Vendor Alerted via emails and contact form.
2014-06-24 Vendor Alerted via contact form.
2014-06-26 Fix Requested via emails and contact forms.
2014-06-26 Issue created on GitHub.
2014-06-27 Vendor says that vulnerability is fixed.
2014-06-30 Requested version number with fixes.
2014-07-03 Vendor says that vulnerability will be fixed in upcoming version 3.0.x
2014-07-07 Fix Requested via emails and contact forms.
2014-07-16 Vulnerability still exist in the latest version 3.0.2. This information \
was brought to vendor. 2014-07-16 Vendor disagrees that vulnerability still exist.
2014-07-27 Vendor locked and limited conversation to collaborators on GitHub.
2014-07-29 Vulnerability still exist in the latest version 3.0.4.
2014-07-30 Public disclosure with self-written patch.

Currently we are not aware of any official solution for this vulnerability.
Unofficial patch was developed by High-Tech Bridge Security Research Lab and is \
available here: https://www.htbridge.com/advisory/HTB23219-patch.zip

-----------------------------------------------------------------------------------------------


References:

[1] High-Tech Bridge Advisory HTB23219 - https://www.htbridge.com/advisory/HTB23219 - \
Improper Access Control in ArticleFR. [2] ArticleFR - http://freereprintables.com/ - \
Free Article Directory CMS System . [3] Common Vulnerabilities and Exposures (CVE) - \
http://cve.mitre.org/ - international in scope and free for public use, CVE ® is a \
dictionary of publicly known information security vulnerabilities and exposures. [4] \
Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and \
security practitioners, CWE is a formal list of software weakness types. [5] \
ImmuniWeb ® SaaS - https://www.htbridge.com/immuniweb/ - hybrid of manual web \
application penetration test and cutting-edge vulnerability scanner available online \
via a Software-as-a-Service (SaaS) model.

-----------------------------------------------------------------------------------------------


Disclaimer: The information provided in this Advisory is provided "as is" and without \
any warranty of any kind. Details of this Advisory may be updated in order to provide \
as accurate information as possible. The latest version of the Advisory is available \
on web page [1] in the References.


[prev in list] [next in list] [prev in thread] [next in thread]