Skip to content
cyberexploits
webappphptext

Simple PHP Agenda 2.2.8 - 'edit_event.php eventid Parameter' SQL Injection

Simple PHP Agenda 2.2.8 - 'edit_event.php eventid Parameter' SQL Injection

Published on 2013-06-11

Source code

Pinned to commit 7eac4c3a2ce5
textplatforms/php/webapps/26136.txt7eac4c3a
raw
=============================================

WEBERA ALERT ADVISORY 02

- Discovered by: Anthony Dubuissez

- Severity: high

- CVE Request – 05/06/2013

- CVE Assign – 06/06/2013

- CVE Number – CVE-2013-3961

- Vendor notification – 06/06/2013

- Vendor reply – 10/06/2013

- Public disclosure – 11/06/2013

=============================================



I. VULNERABILITY ————————-

iSQL in php-agenda <= 2.2.8



II. BACKGROUND ————————-

Simple Php Agenda is « a simple agenda tool written in PHP with MySQL backend. An agenda tool accessible everywere 

there’s internet ».



III. DESCRIPTION ————————-

Php-Agenda 2.2.8 and lower versions contain a flaw that allows an authenticated user iSQL attack. This flaw exists 

because the application does not properly sanitize parameters (only rely on mysql_real_escape_string() funcion ) in the 

edit_event.php file. This allows an attacker to create a specially crafted URL to dump multiple informations of the 

databases content.

A valid account is required.



IV. PROOF OF CONCEPT ————————-

dumping login and password of the first admin

iSQL: 

http://server/edit_event.php?eventid=1%20union%20select%201,2,3,username,password,6,7,8,9%20from%20users%20where%20userlevel=9%20limit%200,1



V. BUSINESS IMPACT ————————-

iSQL: We can get sensitive information with the vulnerabilities that can escalate to a complete administrator account.



VI. SYSTEMS AFFECTED ————————-

Php-Agenda 2.2.8 and lower versions



VII. SOLUTION ————————-

sanitize correctly the GET/POST parameter. (don’t rely on the mysql_real_escape_string() functions only…)



VIII. REFERENCES ————————-

http://www.webera.fr/advisory-02-php-agenda-isql-exploit/



IX. CREDITS ————————- 

the vulnerability has been discovered by Anthony Dubuissez (anthony (dot) dubuissez (at) webera (dot) fr).



X. DISCLOSURE TIMELINE ————————-

June 05, 2013: Vulnerability acquired by Webera

June 06, 2013: Sent to vendor.

June 10, 2013: Reply of vendor, vendor release bugfix in version 2.2.9

June 11, 2013: Advisory published and sent to lists.



XI. LEGAL NOTICES ————————-

The information contained within this advisory is supplied « as-is » with no warranties or guarantees of fitness of use 

or otherwise.Webera accepts no responsibility for any damage caused by the use or misuse of this information.



XII. FOLLOW US ————————-

You can follow Webera, news and security advisories at:

On twitter : @erathemass
View on GitHub