CodoForum 3.3.1: Multiple SQL Injection VulnerabilitiesDate: 2015-08-07 16:59:38
|Affected Product:||CodoForum 3.3.1|
|Fixed Version Link:||https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip|
|Vulnerability Type:||Multiple SQL injections|
|Reported to vendor:||07/07/2015|
|Disclosed to public:||08/07/2015|
|Credits||Tim Coen of curesec GmbH|
2. Vulnerability Description
There are two SQL injections in the CodoForum application. One is a blind injection which does not require any credentials, the other is a normal SQL injection which does require that the attacker be authenticated.
These vulnerabilities can lead to data leaks as well as compromisation of the host.
SQL Injection 1 (Blind)
The script that parses the request URL and displays posts depending on the retrieved id does not use proper protection against SQL injections. It does cast the retrieved user input to int, but it does not use this value, but the original value instead.
The retrieved values are never displayed to the end user, making this a blind injection. An attacker does not need to be authenticated to perform this attack.
Proof of Concept:
SQL Injection 2
The script processing the mass sending of email does not properly handle the subject, body, or roles arguments it retrieves from a POST request. The script can only be accessed by authenticated users.
The following request:
Upgrade to Version 3.4:
4. Report Timeline
|07/07/2015||Informed Vendor about Issue|
|08/03/2015||Vendor releases Version 3.4|
|08/07/2015||Disclosed to public|