ITAS Team found out a SQL Injection vulnerability in Microweber CMS. The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allows remote attackers to execute arbitrary SQL commands via that parameter…

Individuals and organizations are using this CMS should update the latest patch (version 0.95 on 12/11/2014).

Vulnerability information:
– Vulnerability: SQL injection
– Vendor: Microweber – https://microweber.com/
– Download link: https://microweber.com/download (https://github.com/microweber/microweber)
– Affected version: Version 0.95 before 12/09/2014.
– Fix version: Version 0.95 updated on 12/11/2014
– CVE ID: CVE-2014-9464
– Author: Pham Kien Cuong – cuong.k.pham@itas.vn and ITAS Team

::VULNERABILITY DETAIL::
– Vulnerable file: microweber-master/src/Microweber/Category.php
– Vulnerable function: get_children($parent_id = 0, $type = false, $visible_on_frontend = false)
– Vulnerable parameter: $parent_id
– Vulnerable code:
public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false)
{

$categories_id = intval($parent_id);
$cache_group = ‘categories/’ . $categories_id;

$table = $this->tables[‘categories’];

$db_t_content = $this->tables[‘content’];

if (isset($orderby) == false) {
$orderby = array();
//$orderby[0] = ‘updated_on’;

//$orderby[1] = ‘DESC’;

$orderby[0] = ‘position’;

$orderby[1] = ‘asc’;
}

if (intval($parent_id) == 0) {

return false;
}

$data = array();

$data[‘parent_id’] = $parent_id;

if ($type != FALSE) {
$data[‘data_type’] = $type;
} else {
$type = ‘category_item’;
$data[‘data_type’] = $type;
}

$cache_group = ‘categories/’ . $parent_id;
$q = ” SELECT id, parent_id FROM $table WHERE parent_id=$parent_id “;
$q_cache_id = __FUNCTION__ . crc32($q);
$save = $this->app->db->query($q, $q_cache_id, $cache_group);
if (empty($save)) {
return false;
}
$to_return = array();
if (is_array($save) and !empty($save)) {
foreach ($save as $item) {
$to_return[] = $item[‘id’];
}
}

$to_return = array_unique($to_return);

return $to_return;
}

– Fix code:
public function get_children($parent_id = 0, $type = false, $visible_on_frontend = false)
{
$categories_id = $parent_id =intval($parent_id);
$cache_group = ‘categories/’ . $categories_id;
$table = $this->tables[‘categories’];
$db_t_content = $this->tables[‘content’];
if (isset($orderby) == false) {
$orderby = array();
//$orderby[0] = ‘updated_on’;
//$orderby[1] = ‘DESC’;
$orderby[0] = ‘position’;
$orderby[1] = ‘asc’;
}
if (intval($parent_id) == 0) {
return false;
}
$data = array();
$data[‘parent_id’] = $parent_id;
if ($type != FALSE) {
$data[‘data_type’] = $type;
} else {
$type = ‘category_item’;
$data[‘data_type’] = $type;
}
$cache_group = ‘categories/’ . $parent_id;
$q = ” SELECT id, parent_id FROM $table WHERE parent_id=$parent_id “;
$q_cache_id = __FUNCTION__ . crc32($q);
$save = $this->app->db->query($q, $q_cache_id, $cache_group);
if (empty($save)) {
return false;
}
$to_return = array();
if (is_array($save) and !empty($save)) {
foreach ($save as $item) {
$to_return[] = $item[‘id’];
}
}
$to_return = array_unique($to_return);
return $to_return;
}

Information disclosure:
– 12/09/2014: Detected vulnerability
– 12/10/2014: Inform the vendor
– 12/11/2014: Vendor confirmed
– 12/11/2014: Vendor releases patch
– 12/16/2014: ITAS Team publishes information

Reference:
– https://microweber.com/list-of-contributors
– http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9464
– http://www.exploit-db.com/exploits/35720/