Bigace 3.0: SQL Injection

Bigace 3.0: SQL Injection

Date: 2016-01-28 09:56:34
Security Advisory – Curesec Research Team

1. Introduction

Affected Product: Bigace 3.0
Fixed in: not fixed
Fixed Version Link: n/a
Vendor Website:
Vulnerability Type: SQL Injection
Remote Exploitable: Yes
Reported to vendor: 11/17/2015
Disclosed to public: 01/28/2016
Release mode: Full Disclosure
CVE: requested, but not assigned
Credits Tim Coen of Curesec GmbH

2. Overview


Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P


Bigace is a CMS written in PHP. In version 3.0, the language parameter of the filemanager is open to SQL injection.

A user account is needed to exploit this issue, but it can be in the group "Anonymous", which is the lowest privilege level - it does not have to have any rights associated with it.

3. Proof of Concept

http://localhost//bigace_3.0/public/index.php/filemanager/itemtype/index/?itemtype=4&language=en%27%20and%201=1%20--%20- ->true http://localhost//bigace_3.0/public/index.php/filemanager/itemtype/index/?itemtype=4&language=en%27%20and%201=2%20--%20- -> false

4. Code

/library/Bigace/Item/Walker.php public function assemble() { [...] $languageID = $req->getLanguageID(); [...] if (!is_null($languageID) && $languageID != '') { $extension .= " AND a.language='".$languageID."' "; } else { // if we do not request a special language, we cannot group by id // becuase we would only get back the first (only one!) result "by id" // and not all language version $groupBy = ', a.language'; } [...] $sql .= " ".$joinExtension." WHERE a.cid={CID} ".$extension." GROUP BY ".$groupBy." ".$order." " . $limit; return $GLOBALS['_BIGACE']['SQL_HELPER']->prepareStatement($sql, $values, true); }

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline

11/17/2015 Informed Vendor about Issue (no reply)
12/10/2015 CVE Requested, but not assigned
12/10/2015 Reminded Vendor of Disclosure Date
12/14/2015 Vendor requests more time
01/10/2015 Reminded Vendor of Disclosure Date
01/17/2015 Vendor discontinued project
01/28/2016 Disclosed to public