KBPublisher 6.0.2.1 SQL Injection

KBPublisher version 6.0.2.1 suffers from multiple remote SQL injection vulnerabilities.


MD5 | 1eb1a06483952b05b3a15269d967cfab

          ===============================
- Advisory -
===============================

Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection
Risk: High
Date: 21.Aug.2019
Author: Pedro Andujar
Twitter: @pandujar



.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.


.: [ TECHNICAL DESCRIPTION ] :.

KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application


.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)

https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD

The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD

During the test, it was possible to dump users and hashes of the application as any other content from the DB.


.: [ CHANGELOG ] :.

* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)


.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.


.: [ REFERENCES ] :.

[+] KBPublisher Release Notes
https://www.kbpublisher.com/kb/release-notes-59/

[+] Tarlogic
https://www.tarlogic.com/

[+] Black Arrow
https://www.blackarrow.net




-=EOF=-

Related Posts