# Exploit Title: SQL Injection Vulnerability in Microweber 0.95 # Vendor: https://microweber.com/
# Download link: https://microweber.com/download (https://github.com/microweber/microweber) # CVE ID: CVE-2014-9464 # Vulnerability: SQL Injection # Affected version: Version 0.95 before 12/09/2014. # Fixed version: Version 0.95 updated on 12/11/2014 # Author: Pham Kien Cuong (cuong.k.p...@itas.vn) & ITAS Team (www.itas.vn) ::VULNERABILITY DETAIL:: - A SQL injection vulnerability has been found and confirmed within the Microweber CMS as an anonymous user. A successful attack could allow an anonymous attacker to access information such as username and password hashes, or other private information that are stored in the database. The following URL and parameter have been confirmed to suffer from SQL injection. - Attack vector: GET /shop/category:[SQL INJECTION HERE] HTTP/1.1 Host: target.org User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: http://target/shop Cookie: mw-time546209978=2015-01-05+05%3A19%3A53; PHPSESSID=48500cad98b9fa857b9d82216afe0275 Connection: keep-alive - Vulnerable file: microweber-master/src/Microweber/Category.php - Vulnerable function: get_children($parent_id = 0, $type = false, $visible_on_frontend = false) - Vulnerable parameter: $parent_id - Vulnerable code: public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false) { $categories_id = intval($parent_id); $cache_group = 'categories/' . $categories_id; $table = $this->tables['categories']; $db_t_content = $this->tables['content']; if (isset($orderby) == false) { $orderby = array(); //$orderby[0] = 'updated_on'; //$orderby[1] = 'DESC'; $orderby[0] = 'position'; $orderby[1] = 'asc'; } if (intval($parent_id) == 0) { return false; } $data = array(); $data['parent_id'] = $parent_id; if ($type != FALSE) { $data['data_type'] = $type; } else { $type = 'category_item'; $data['data_type'] = $type; } $cache_group = 'categories/' . $parent_id; $q = " SELECT id, parent_id FROM $table WHERE parent_id=$parent_id "; $q_cache_id = __FUNCTION__ . crc32($q); $save = $this->app->db->query($q, $q_cache_id, $cache_group); if (empty($save)) { return false; } $to_return = array(); if (is_array($save) and !empty($save)) { foreach ($save as $item) { $to_return[] = $item['id']; } } $to_return = array_unique($to_return); return $to_return; } - Fix code: public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false) { $categories_id = $parent_id =intval($parent_id); $cache_group = 'categories/' . $categories_id; $table = $this->tables['categories']; $db_t_content = $this->tables['content']; if (isset($orderby) == false) { $orderby = array(); //$orderby[0] = 'updated_on'; //$orderby[1] = 'DESC'; $orderby[0] = 'position'; $orderby[1] = 'asc'; } if (intval($parent_id) == 0) { return false; } $data = array(); $data['parent_id'] = $parent_id; if ($type != FALSE) { $data['data_type'] = $type; } else { $type = 'category_item'; $data['data_type'] = $type; } $cache_group = 'categories/' . $parent_id; $q = " SELECT id, parent_id FROM $table WHERE parent_id=$parent_id "; $q_cache_id = __FUNCTION__ . crc32($q); $save = $this->app->db->query($q, $q_cache_id, $cache_group); if (empty($save)) { return false; } $to_return = array(); if (is_array($save) and !empty($save)) { foreach ($save as $item) { $to_return[] = $item['id']; } } $to_return = array_unique($to_return); return $to_return; } ::SOLUTION:: Version 0.95 updated on 12/11/2014 ::TIMELINE:: + 12/09/2014: Detected vulnerability + 12/10/2014: Inform the vendor + 12/11/2014: Vendor confirmed + 12/11/2014: Vendor releases patch + 12/16/2014: ITAS Team publishes information ::REFERENCE:: - http://www.itas.vn/news/itas-team-found-out-a-sql-injection-vulnerability-in -microweber-cms-69.html - https://github.com/microweber/microweber/commit/4ee09f9dda35cd1b15daa351f335 c2a4a0538d29 - https://microweber.com/list-of-contributors - https://www.youtube.com/watch?v=SSE8Xj_-QaQ ::COPYRIGHT:: Copyright (c) ITAS CORP 2014, All rights reserved worldwide. Permission is hereby granted for the electronic redistribution of this information. It is not to be edited or altered in any way without the express written consent of ITAS CORP. ::DISCLAIMER:: THE INFORMATION PRESENTED HEREIN ARE PROVIDED ?AS IS? WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING BUT NOT LIMITED TO, ANY IMPLIED WARRANTIES AND MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR WARRANTIES OF QUALITY OR COMPLETENESS. THE INFORMATION PRESENTED HERE IS A SERVICE TO THE SECURITY COMMUNITY AND THE PRODUCT VENDORS. ANY APPLICATION OR DISTRIBUTION OF THIS INFORMATION CONSTITUTES ACCEPTANCE ACCEPTANCE AS IS, AND AT THE USER'S OWN RISK. Best Regards, ---------------------------------------------------------------------------- ---------------- ITAS Team ITAS Corp. Be protected with us Office : 24 Dang Thai Mai St., Ward 7, Phu Nhuan District, HCMC. Tel : +84 - 8 - 38931952 Hotline : 0903445711 Email : <mailto:i...@itas.vn> i...@itas.vn <http://www.itas.vn/> www.itas.vn _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
