Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Responsible Disclosure - Security Issue #109

Closed
de-adshot opened this issue Feb 26, 2021 · 13 comments
Closed

Responsible Disclosure - Security Issue #109

de-adshot opened this issue Feb 26, 2021 · 13 comments
Labels

Comments

@de-adshot
Copy link

Hi Team,
We have identified a Critical security issue and we would like to report back to you since it is supposed to fixed ASAP. We tried to contact you via the b2evolution forum. Since there was no response just trying to reach you via all mode. Kindly help us with your mail id so we can report it directly to the correct person as part of responsible disclosure.

@de-adshot
Copy link
Author

de-adshot commented Feb 26, 2021 via email

@fplanque
Copy link
Contributor

Hi Avinash, I sent an email to Partha who contacted me on the forums.
Please do not share security details publicly.
I do not want to share email addresses publicly either.
If you did not get my email, please contact me privately at https://b2evolution.net/about/email-contact

@de-adshot
Copy link
Author

HI François,

Mail has been sent. And let's keep this issue open until we have released a fix.

@farfallosa
Copy link

@de-adshot @fplanque
I hope that a fix for the critical security issue will be released in a way that users will notice. Hope to get information which versions are affected? (6.11.x or 7.2.x)? I would appreciate this.

@fplanque
Copy link
Contributor

fplanque commented Mar 1, 2021

Only users who have access to collections in the backoffice would be able to use this exploit. These are typically trusted users. So the severity of the issue is LOW.

@fplanque
Copy link
Contributor

fplanque commented Mar 2, 2021

Fix included here: https://b2evolution.net/downloads/7-2-3-stable

@de-adshot
Copy link
Author

@farfallosa I have not tested in 6.11.x. The vulnerability was tested and identified on 7.2.2.

@fplanque this issue can be said trust issue. To be noted there are multiple user privileges can have access to collections as mentioned in the mail. Also there are multiple external attack vectors are available and one of them can be social engineering.

CVSS 3.1 vector : AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS score :8.8(High)

Considering the above facts the vulnerability will fall under HIGH category. The type of vulnerability which was reported will never fall under LOW category in any circumstances. Hence we shall conclude that this vulnerability falls under HIGH severity.

@fplanque fplanque closed this as completed Mar 3, 2021
@fplanque fplanque added the Fixed label Mar 3, 2021
@farfallosa
Copy link

@fplanque you fixed the security issue in 7.2.3 but is there a fix for 6.11.5 or 6.11.7, too? May be that the issue was closed too soon.
I can understand, that you won't publish a fix, because you won't spot to it. But nevertheless - if there exists a security issue and if @de-adshot 's analysis is correct (HIGH severity) the users should be informed. A fix dumb for 6.11.5 or 6.11.7 (as last version before 7x) should be offered. That would be awesome. If those versions are not affected, it would be great to know. Thanks

@fplanque
Copy link
Contributor

fplanque commented Mar 3, 2021

We (unpaid core developers) do not support v6 any more.
(Anyone who wants to continue using old deprecated versions is welcome to fix them and publish fixes. It's all open source.)

@fplanque
Copy link
Contributor

fplanque commented Mar 8, 2021

Thank you to Avinash, Balaji Ayyasamy and Parthasarathi S for finding an reporting this issue:

Avinash - https://www.linkedin.com/in/avinashranalyst/
Balaji Ayyasamy - https://www.linkedin.com/in/balaji-ayyasamy-aa540b109/
Parthasarathi S - https://www.linkedin.com/in/parthasarathi-s-62b8411a4/

@de-adshot
Copy link
Author

A walkthrough for the identified vulnerability is as below,
https://deadsh0t.medium.com/authenticated-boolean-based-blind-error-based-sql-injection-b752225f0644

@de-adshot
Copy link
Author

Hi All,
This vulnerability is been assigned with CVE-2021-28242 by Mitre.

@de-adshot
Copy link
Author

@fplanque Hi, I have requested an update on the name updation via your b2evolution mail. Can you look into that?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants