Stay in touch

Enter your email and get the latest news and researches on cybersecurity, receive invitations to private security events and conferences.

SQL Injection and RCE in WebsiteBaker

Advisory ID:HTB23296
Product:WebsiteBaker
Vendor:WebsiteBaker Org e.V.
Vulnerable Versions:2.8.3-SP5 and probably prior
Tested Version:2.8.3-SP5
Advisory Publication:February 24, 2016 [without technical details]
Vendor Notification:February 24, 2016
Vendor Fix:February 26, 2016
Public Disclosure:March 18, 2016
Latest Update:February 26, 2016
Vulnerability Type:SQL Injection [CWE-89]
CVE Reference:Pending
Risk Level:High
CVSSv3 Base Score:8.1 [CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H]
CVSSv3 Calculator
Solution Status:Fixed by Vendor
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in WebsiteBaker CMS. A remote attacker will be able to read, write or modify arbitrary information in the database, gain complete control over the vulnerable web application and even the entire web server on which the application is hosted.

The vulnerability exists due to insufficient filtration of user-supplied data passed via "language" HTTP POST parameter to "/account/preferences.php" PHP script. A remote authenticated attacker (the registration is open by default) can alter present SQL query, inject and execute arbitrary SQL commands in the application’s database.

Successful exploitation of vulnerability requires that the attacker is registered and authenticated, but the registration is open by default.

The following exploit code will assign administrative privileges to attacker’s account. To reproduce the vulnerability, just login to the website, copy-paste the code below into an empty HTML file and then open it in your browser:

<form action="http://[host]/account/preferences.php" method="post" name="f1">
<input type="hidden" name="display_name" value="username">
<input type="hidden" name="language" value="EN',group_id='1',groups_id='1">
<input type="hidden" name="action" value="details">
<input value="submit" id="btn" type="submit" />
</form><script>document.f1.submit();</script>


We also attract your attention, that website administrator can edit the "intro.php" file and inject arbitrary PHP code into it using the following URL:

http://[host]/admin/pages/intro.php

The injected code will be executed every time the user visits the following page:

http://[host]/pages/intro.php

Giving these circumstances, successful exploitation of SQL injection vulnerability will lead to Remote Code Execution and full compromise not just of the website, but of the entire web server and related environment.


ImmuniWeb® On-Demand Web Application Penetration Test


Solution:
Update to WebsiteBaker 2.8.3 SP6 RC3.0

More Information:
http://addon.websitebaker.org/pages/en/browse-add-ons.php?id=06C9F242


References:
[1] High-Tech Bridge Advisory HTB23296 - https://www.htbridge.com/advisory/HTB23296 - SQL Injection and RCE in WebsiteBaker
[2] WebsiteBaker - http://websitebaker.org - WebsiteBaker helps you to create the website you want: A free, easy and secure, flexible and extensible open source content management system (CMS).
[3] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[4] ImmuniWeb® - web security platform by High-Tech Bridge for on-demand and continuous web application security, vulnerability management, monitoring and PCI DSS compliance.
[5] Free SSL/TLS Server test - check your SSL implementation for PCI DSS and NIST compliance. Supports all types of protocols.
User Comments and Opinions
Add Comment
3 responses to "SQL Injection and RCE in WebsiteBaker"
Norbert 2016-03-17 12:43:37 UTC Comment this
There is a Patch available that does not require to upgrade to an unstable
version. Look at wbce.org.

Btw it would be nice to inform the WBCE dev team of issues like that too ,
as we share the same codebase.
Aldus 2016-04-18 12:59:58 UTC Comment this
Does not effect LEPTON-CMS since 1.3 because of the use of a
preg_match-test for the Language-Field and the leptoken-hashes.
erpe 2016-04-18 13:55:54 UTC Comment this
Would be nice to inform us in the future too, because we also share lot of core code. Please use lepton-cms.org contact page..
Thanks
↑ Back to Top


Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.