ITAS Team found out a SQL Injection vulnerability in ProjectSend-r561

ITAS Team found out a SQL Injection vulnerability in ProjectSend r561. The issue is due to using the function to sanitize user-supplied input-data from ‘id’ parameter incorrectly. This may allows remote attackers to execute arbitrary SQL commands via that parameter.

Individuals and organizations are using this should note and give the solution to fix.

Vulnerability information:
– Vulnerability: SQL injection
– Vendor: http://www.projectsend.org/
– Download link: http://www.projectsend.org/download/67/
– Affected version: ProjectSend r561
– Fix version: N/A
– CVE ID: CVE-2015-2564
– Author: Le Ngoc Phi (phi.n.le@itas.vn) & ITAS Team (www.itas.vn)

::VULNERABILITY DETAIL::
+ REQUEST:
GET /projectsend/users-edit.php?id= HTTP/1.1
Host: research-itasvn.rhcloud.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: 54f8105d859e0_SESSION=q6tjpjjbt53nk1o5tnbv2123456; PHPSESSID=jec50hu4plibu5p2p6hnvpcut6
Connection: keep-alive

– Vulnerable file: client-edit.php
– Vulnerable parameter: id
– Vulnerable code:
if (isset($_GET[‘id’])) {
$client_id = mysql_real_escape_string($_GET[‘id’]);
/**
* Check if the id corresponds to a real client.
* Return 1 if true, 2 if false.
**/
$page_status = (client_exists_id($client_id)) ? 1 : 2;
}
else {
/**
* Return 0 if the id is not set.
*/
$page_status = 0;
}
/**
* Get the clients information from the database to use on the form.
*/
if ($page_status === 1) {
$editing = $database->query(“SELECT * FROM tbl_users WHERE id=$client_id”);
while($data = mysql_fetch_array($editing)) {
$add_client_data_name = $data[‘name’];
$add_client_data_user = $data[‘user’];
$add_client_data_email = $data[’email’];
$add_client_data_addr = $data[‘address’];
$add_client_data_phone = $data[‘phone’];
$add_client_data_intcont = $data[‘contact’];
if ($data[‘notify’] == 1) { $add_client_data_notity = 1; } else { $add_client_data_notity = 0; }
if ($data[‘active’] == 1) { $add_client_data_active = 1; } else { $add_client_data_active = 0; }
}
}

INFORMATION DISCLOSURE:
+ 01/06/2015: Detected vulnerability
+ 01/07/2015: Contact to vendor
+ 01/08/2015: Send the detail vulnerability to vendor – vendor did not reply
+ 03/05/2015: Public information

DEMOSTRATION VIDEO

/ Blog / Tags: ,

Share the Post