BugTraq
[RCESEC-2016-002] XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections May 23 2016 07:08PM
Julien Ahrens (info rcesecurity com)
RCE Security Advisory
https://www.rcesecurity.com

1. ADVISORY INFORMATION
=======================
Product: XenAPI for XenForo
Vendor URL: github.com/Contex/XenAPI
Type: SQL Injection [CWE-89]
Date found: 2016-05-20
Date published: 2016-05-23
CVSSv3 Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
CVE: -

2. CREDITS
==========
This vulnerability was discovered and researched by Julien Ahrens from
RCE Security.

3. VERSIONS AFFECTED
====================
XenAPI for XenForo v1.4.1
older versions may be affected too but were not tested.

4. INTRODUCTION
===============
This Open Source REST API allows usage of several of XenForo's functions,
such as authentication, user information and many other functions!

(from the vendor's homepage)

5. VULNERABILITY DETAILS
========================
The plugin "XenAPI" for XenForo offers a REST Api with different functions
to query and edit information from the XenForo database backend. Amongst
those are "getGroup" and "getUsers", which can be called without
authentication (default) and since the application does not properly
validate and sanitize the "value" parameter, it is possible to inject
arbitrary SQL commands into the XenForo backend database.

The following proof-of-concepts exploit each vulnerable REST action
and extract the hostname of the server:

https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23

https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
CHAR)%2C0x20))%2CNULL%23

6. RISK
=======
The vulnerability allows remote attackers to read sensitive information
from the XenForo database like usernames and passwords. Since the affected
REST actions do not require an authentication hash, these vulnerabilities
can be exploited by an unauthenticated attacker.

7. SOLUTION
===========
Update to the latest version v1.4.2

8. REPORT TIMELINE
==================
2016-05-20: Discovery of the vulnerability
2016-05-20: Notified vendor via contact address
2016-05-20: Vendor provides update for both issues
2016-05-21: Provided update fixes the reported issues
2016-05-21: Vendor publishes update
2016-05-23: Advisory released

9. REFERENCES
=============
https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631dd
b73f2ecf
https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/
update?update=19336

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJXQ1UmAAoJELLTnL9hzYr6+tMP/iyV4Pkc0vn4+llcwDDN//l3
APRLKOJNfbUlPz/+5Rd+884sybpiR9FwQzv1IunCG61KOXaIOeunXq25hFGo4xyL
yy/syUMjCv0fD/Mb3wiWogIYcH8sTfaztWkkZcyPM32F+32ji9k4yhtSteBE5nIc
O55XXm6VU9eMlQ/2mDI78JHOvpo/VUc1cd+PhKdPA2iNubhYOzAe6seJBamUf9H6
f/lLaGslw05eEUnQO08vc+KB6BUxFm7krpw0pisBA2fAjRQFUm2N9qf77kuhFazS
2RRF3X58gWXS6KJO0kOzKNEvY8qDhu5zEM2C377O2qJL1esgS2hRpNhkm/siVkiA
L/2BfzSouCNLeYZlucgUlJ6NICbzQSjy+Lxz14G97/oRZQWkxLOhOaiBhYTrpaN4
5O/xYnmexcHOG8GkBSaYGxI9RLJt++OWyWSkVRzXaQMDVRa8DWkPPez+wJ/NPJGR
0H8D/YUuYgaxHgZjp1h3HK+wctA3C32FMKPnXbJmK3Q8ph0IS8ZWvL7V0UVTvYag
1Vv3UziDO8wfi84hm4Bhfmsb+T+iwX6qZGK4VvdAhKztfTl2dcdPDZHl/3hNmV+z
7b/OfaqY5LuIUHNHHSG93cxLL8PFp8vVFBxMB3e6zFP3J4UT2F4CoTexkt1rU3do
7jZSklshvpw9/XaGX6C8
=l0sx
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus