Document Title: =============== Zenbership 1.0.8 CMS - Multiple SQL Injection Vulnerabilities References (Source): ==================== http://ift.tt/2slDh7S Release Date: ============= 2017-06-09 Vulnerability Laboratory ID (VL-ID): ==================================== 2073 Common Vulnerability Scoring System: ==================================== 5.3 Vulnerability Class: ==================== SQL Injection Current Estimated Price: ======================== 1.000€ - 2.000€ Product & Service Introduction: =============================== Zenbership is a free & open source membership management platform for online businesses facilitating the acquisition, monetization, and retention of members. The software is designed to act as a central hub for your employees, combining multiple tools into one solution, and automating tasks like member registration, renewals, and marketing. Your members will also benefit from a branded self-service portal to update data, manage subscriptions, get news, and view event registrations. (Copy of the Homepage: http://ift.tt/1QiBfXx ) Abstract Advisory Information: ============================== The vulnerability laboratory core research team discovered multiple sql-injection vulnerabilities in the official Zenbership v1.0.8 ecommerce crm content management system web-application. Vulnerability Disclosure Timeline: ================================== 2017-06-09: Public Disclosure (Vulnerability Laboratory) Discovery Status: ================= Published Affected Product(s): ==================== Castlamp Product: Zenbership - Content Management System (Web-Application) 1.0.8 Exploitation Technique: ======================= Remote Severity Level: =============== Medium Technical Details & Description: ================================ The sql-injection vulnerability allows remote attackers or privileged user accounts to execute malicious sql commands to compromise the web-application and database management system. The vulnerabilities are located in the `error_codes`, `subscriptions`, `widget` and `logins` parameters of the `./admin/index.php` file. Attackers with privileged web-application user accounts are able to execute malicious sql commands via GET method request. The requested content of the files is not sanitized via parse or escape. The security risk of the vulnerabilities are estimated as medium with a common vulnerability scoring system count of 5.3. Exploitation of the sql-injection vulnerability requires a privileged web-application user account without user interaction. Successful exploitation of the web vulnerability results in web-application or database management system compromise. Request Method(s): [+] GET Vulnerable File(s): [+] index.php Vulnerable Parameter(s): [+] error_codes [+] subscriptions [+] widget [+] logins Proof of Concept (PoC): ======================= The sql-injection vulnerabilities can be exploited by remote attackers without user interaction and with privileged user account. For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue. PoC: Exploitation ./Zenbership/admin/index.php?l=error_codes&filters[]=I||code||like||ppSD_error_codes'[SQL-INJECTION VULNERABILITY!
Source: Gmail -> IFTTT-> Blogger
No comments:
Post a Comment