[FD] Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities

Document Title: =============== Xavier v2.4 PHP MP - SQL Injection Web Vulnerabilities References (Source): ==================== http://ift.tt/2r0PpGo Release Date: ============= 2017-06-06 Vulnerability Laboratory ID (VL-ID): ==================================== 2076 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== The script can easily be dropped in to an existing website allowing you to protect pages by adding one line of PHP code at the top of a page. You can also protect sections of pages. Secure your web pages or sections of content dependant on whether your users are logged in or out, or whether they are a member of a User Group. Or secure your pages dependent on whether you are logged on as an administrator. (Copy of the Homepage: http://ift.tt/2r0Tx9s ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple sql-injection web vulnerabilities in the Xavier PHP Login Script & User Management Admin Panel v2.4 web-application. Vulnerability Disclosure Timeline: ================================== 2017-06-06: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Siggles Product: Xavier - PHP Login Script & User Management Admin Panel 2.4 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ Multiple sql-injection vulnerabilities has been discovered in the Xavier PHP Login Script & User Management Admin Panel web-application. The issue allows remote attackers to inject own malicious sql commands to compromise the web-application & database management system. The sql-injection vulnerabilities are located in the `usertoedit` and `log_id` parameters of the `adminuserdit.php` and `editgroup.php` files. Remote attackers with privileged user accounts are able to compromise the web-application and database management system by injection of sql commands via GET method request. The attacker vector is client-side and the request method to inject the sql commands is GET. The vulnerability is a classic order by sql-injection. The security risk of the sql-injection web vulnerability is estimated as medium with a common vulnerability scoring system count of 5.3. Exploitation of the remote sql-injection web vulnerability requires an authenticated web-application user account and no user interaction. Successful exploitation of the sql-injection web vulnerability results in web-application or database management system compromise. Request Method(s): [+] GET Vulnerable File(s): [+] adminuseredit.php [+] editgroup.php Vulnerable Parameter(s): [+] usertoedit [+] log_id Proof of Concept (PoC): ======================= The remote sql-injection vulnerability can be exploited by authenticated user accounts without user interaction. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Example http://ift.tt/2rw50kR VULNERABILITY!] http://ift.tt/2r0MBJr VULNERABILITY!] PoC: Exploitation http://ift.tt/2seZRPl

Source: Gmail -> IFTTT-> Blogger