exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

CodoForum 3.3.1 SQL Injection

CodoForum 3.3.1 SQL Injection
Posted Aug 10, 2015
Authored by Tim Coen | Site curesec.com

CodoForum version 3.3.1 suffers from multiple remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 91066315f737146476dcdfe6bb560572770dbaea41512d22331b81f27db3e839

CodoForum 3.3.1 SQL Injection

Change Mirror Download


CodoForum 3.3.1: Multiple SQL Injection Vulnerabilities
Security Advisory – Curesec Research Team

https://blog.curesec.com/article/blog/CodoForum-331-Multiple-SQL-Injection-Vulnerabilities-42.html

1. Introduction

Affected Product: CodoForum 3.3.1
Fixed in: 3.4
Fixed Version Link:
https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip

Vendor Contact: admin@codologic.com
Vulnerability Type: Multiple SQL injections
Remote Exploitable: Yes
Reported to vendor: 07/07/2015
Disclosed to public: 08/07/2015
Release mode: Coordinated
CVE: n/a
Credits Tim Coen of Curesec GmbH

2. Vulnerability Description

There are two SQL injections in the CodoForum application. One is a
blind injection which does not require any credentials, the other is a
normal SQL injection which does require that the attacker be authenticated.

These vulnerabilities can lead to data leaks as well as compromisation
of the host.

SQL Injection 1 (Blind)

The script that parses the request URL and displays posts depending on
the retrieved id does not use proper protection against SQL injections.
It does cast the retrieved user input to int, but it does not use this
value, but the original value instead.

The retrieved values are never displayed to the end user, making this a
blind injection. An attacker does not need to be authenticated to
perform this attack.

Proof of Concept:


https://localhost/codoforum/index.php?u=/page/6 and
1=1%23/terms-of-service
-> true (terms and services displayed)
https://localhost/codoforum/index.php?u=/page/6 and
1=2%23/terms-of-service
-> false ("You do not have enough permissions to view this page!")

Code:

routes.php:593

$pid = (int) $id;
$user = \CODOF\User\User::get();

$qry = 'SELECT title, content FROM ' . PREFIX . 'codo_pages p '
. ' LEFT JOIN ' . PREFIX . 'codo_page_roles r ON
r.pid=p.id '
. ' WHERE (r.rid IS NULL OR (r.rid IS NOT NULL AND
r.rid IN (' . implode($user->rids) . ')))'
. ' AND p.id=' . $id;

SQL Injection 2

The script processing the mass sending of email does not properly handle
the subject, body, or roles arguments it retrieves from a POST request.
The script can only be accessed by authenticated users.

The following request:

https://localhost/codoforum/admin/index.php?page=system/massmail
POST: subject=USER_SUPPLIED_subj&body=USER_SUPPLIED_body
for example results in this query:

INSERT INTO codo_mail_queue (to_address, mail_subject, body) SELECT
mail, 'USER_SUPPLIED_subj', 'USER_SUPPLIED_body' FROM codo_users AS u

Code:

admin/modules/system/massmail.php

$subject = html_entity_decode($_POST['subject'],
ENT_NOQUOTES, "UTF-8");
$body = html_entity_decode($_POST['body'], ENT_NOQUOTES,
"UTF-8");
[...]
if (isset($_POST['roles'])) {

$condition = " INNER JOIN " . PREFIX .
"codo_user_roles AS r ON r.uid=u.id "
. " WHERE r.rid IN (" .
implode($_POST['roles']) . ")";
}

$qry = "INSERT INTO " . PREFIX . "codo_mail_queue
(to_address, mail_subject, body)"
. " SELECT mail, '$subject', '$body' FROM " .
PREFIX . "codo_users AS u"
. $condition;

3. Solution

Upgrade to Version 3.4:

https://bitbucket.org/evnix/codoforum_downloads/downloads/codoforum.v.3.4.build-19.zip

4. Report Timeline

07/07/2015 Informed Vendor about Issue
07/07/2015 Vendor confirmation
08/03/2015 Vendor releases Version 3.4
08/07/2015 Disclosed to public


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close