Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Go to file
 
 
Cannot retrieve contributors at this time
===============================
- Advisory -
===============================
Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection
Risk: High
Date: 21.Aug.2019
Author: Pedro Andujar
Twitter: @pandujar
.: [ INTRO ] :
KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates
time wasted searching for information.
.: [ TECHNICAL DESCRIPTION ] :.
KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application
.: [ ISSUE #1 ]:.
Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687
Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)
https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD
The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD
During the test, it was possible to dump users and hashes of the application as any other content from the DB.
.: [ CHANGELOG ] :.
* 21/Mar/2019: - Vuln discovered during engagement.
* 21/Mar/2019: - KBP product security contacted.
* 22/Mar/2019: - Replied providing workarround.
* 30/Apr/2019: - New release of KBP released to public.
* 21/Ago/2019: - Public disclosure.
(Kudos to Evgeny Leontev, for the excelent communication and incident handling)
.: [ SOLUTIONS ] :.
Upgrade to version 7.0 or higher.
.: [ REFERENCES ] :.
[+] KBPublisher Release Notes
https://www.kbpublisher.com/kb/release-notes-59/
[+] Tarlogic
https://www.tarlogic.com/
[+] Black Arrow
https://www.blackarrow.net
-=EOF=-