Permalink
Cannot retrieve contributors at this time
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
advisories/KBPublisher_6.0.2.1_en.txt
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
72 lines (41 sloc)
1.89 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| =============================== | |
| - Advisory - | |
| =============================== | |
| Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection | |
| Risk: High | |
| Date: 21.Aug.2019 | |
| Author: Pedro Andujar | |
| Twitter: @pandujar | |
| .: [ INTRO ] : | |
| KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates | |
| time wasted searching for information. | |
| .: [ TECHNICAL DESCRIPTION ] :. | |
| KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated) | |
| area of the application | |
| .: [ ISSUE #1 ]:. | |
| Name: Multiple SQLi | |
| Severity: High | |
| CVE: CVE-2019-10687 | |
| Affected URL's from the admin area: | |
| https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters) | |
| https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD | |
| The publicly accesible URL, correspond to the print feature: | |
| https://SITE/index.php?View=print&id%5B%5D=PAYLOAD | |
| During the test, it was possible to dump users and hashes of the application as any other content from the DB. | |
| .: [ CHANGELOG ] :. | |
| * 21/Mar/2019: - Vuln discovered during engagement. | |
| * 21/Mar/2019: - KBP product security contacted. | |
| * 22/Mar/2019: - Replied providing workarround. | |
| * 30/Apr/2019: - New release of KBP released to public. | |
| * 21/Ago/2019: - Public disclosure. | |
| (Kudos to Evgeny Leontev, for the excelent communication and incident handling) | |
| .: [ SOLUTIONS ] :. | |
| Upgrade to version 7.0 or higher. | |
| .: [ REFERENCES ] :. | |
| [+] KBPublisher Release Notes | |
| https://www.kbpublisher.com/kb/release-notes-59/ | |
| [+] Tarlogic | |
| https://www.tarlogic.com/ | |
| [+] Black Arrow | |
| https://www.blackarrow.net | |
| -=EOF=- |