KBPublisher 安全漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1709904 漏洞类型 SQL注入
发布时间 2019-08-22 更新时间 2019-09-05
CVE编号 CVE-2019-10687 CNNVD-ID CNNVD-201908-1728
漏洞平台 N/A CVSS评分 N/A
|漏洞来源
https://cxsecurity.com/issue/WLB-2019080102
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-201908-1728
|漏洞详情
KBPublisher是一套知识库管理软件。该软件支持创建用户手册、发布政策和程序、管理项目文件等功能。 KBPublisher 6.0.2.1版本中存在SQL注入漏洞。该漏洞源于基于数据库的应用缺少对外部输入SQL语句的验证。攻击者可利用该漏洞执行非法SQL命令。
|漏洞EXP
          ===============================
                   - Advisory -
          ===============================

  Tittle:   KBPublisher 6.0.2.1 - Multiple SQL Injection
    Risk:   High
    Date:   21.Aug.2019
  Author:   Pedro Andujar
 Twitter:   @pandujar


         	
.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates 
time wasted searching for information.


.: [ TECHNICAL DESCRIPTION ] :.

KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application


.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)

https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD
 
The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD

During the test, it was possible to dump users and hashes of the application as any other content from the DB.


.: [ CHANGELOG ] :.

  * 21/Mar/2019:   - Vuln discovered during engagement.
  * 21/Mar/2019:   - KBP product security contacted. 
  * 22/Mar/2019:   - Replied providing workarround. 
  * 30/Apr/2019:   - New release of KBP released to public. 
  * 21/Ago/2019:   - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)


.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.


.: [ REFERENCES ] :.

   [+] KBPublisher Release Notes
    https://www.kbpublisher.com/kb/release-notes-59/
    
   [+] Tarlogic
    https://www.tarlogic.com/

   [+] Black Arrow
    https://www.blackarrow.net




                    -=EOF=-
|参考资料

来源:github.com

链接:https://github.com/pandujar/advisories/blob/master/KBPublisher_6.0.2.1_en.txt


来源:packetstormsecurity.com

链接:https://packetstormsecurity.com/files/154184/KBPublisher-6.0.2.1-SQL-Injection.html


来源:nvd.nist.gov

链接:https://nvd.nist.gov/vuln/detail/CVE-2019-10687