b2evolution contains a flaw that allows a remote Cross-site Request Forgery (CSRF / XSRF) attack. The flaw exists because the application does not require multiple steps or explicit confirmation for sensitive transactions. By using a crafted URL (e.g., a crafted GET request inside an "img" tag), an attacker may trick the victim into clicking on the image to take advantage of the trust relationship between the authenticated victim and the application. Such an attack could trick the victim into manipulating SQL queries in the context of their session with the application, without further prompting or verification.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">