KBPublisher SQL Injection

KBPublisher version suffers from multiple remote SQL injection vulnerabilities.

MD5 | 1eb1a06483952b05b3a15269d967cfab

- Advisory -

Tittle: KBPublisher - Multiple SQL Injection
Risk: High
Date: 21.Aug.2019
Author: Pedro Andujar
Twitter: @pandujar

.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.


KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application

.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)


The publicly accesible URL, correspond to the print feature:

During the test, it was possible to dump users and hashes of the application as any other content from the DB.

.: [ CHANGELOG ] :.

* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)

.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.

.: [ REFERENCES ] :.

[+] KBPublisher Release Notes

[+] Tarlogic

[+] Black Arrow


Related Posts