Post Thu Jan 24, 2013 8:14 am

HTB23132: SQL Injection Vulnerability in ImageCMS

Advisory ID: HTB23132
Product: ImageCMS
Vendor: imagecms.net
Vulnerable Versions: 4.0.0b and probably prior
Tested Version: 4.0.0b
Vendor Notification: December 5, 2012
Vendor Fix: January 16, 2013
Public Disclosure: January 23, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2012-6290
Risk Level: Medium
CVSSv2 Base Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab


Advisory Details:
High-Tech Bridge Security Research Lab discovered vulnerability in ImageCMS, which can be exploited to perform SQL injection attacks.

1) SQL injection vulnerability in ImageCMS: CVE-2012-6290
The vulnerability exists due to insufficient filtration of the "q" HTTP GET parameter passed to "/admin/admin_search/". A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
Depending on the database and system configuration PoC (Proof-of-Concept) code below will create "/tmp/file.txt" file with MySQL server version inside:
http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,11,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202
This vulnerability can also be exploited by remote non-authenticated attacker via CSRF vector because the application is prone to Cross-Site Request Forgery attack. In order to do so attacker should trick a logged-in administrator to visit a web page with CSRF exploit.
Basic CSRF exploit example:
<img src="http://[host]/admin/admin_search?q=123%27%20UNION%20SELECT%201,2,version%28%29,4,5,6,7,8,9,10,1 1,1 2,13,14,15%20INTO%20OUTFILE%27/tmp/file.txt%27%20--%202">

Solution:
Upgrade to ImageCMS 4.2

More Information:
_http://forum.imagecms.net/viewtopic.php?id=1436
_http://www.imagecms.net/blog/news/reliz-imagecms-42-razgranichenie-prav-dostupa-i-drugie-novinki


References:
[1] High-Tech Bridge Advisory HTB23132 - https://www.htbridge.com/advisory/HTB23132 - SQL Injection Vulnerability in ImageCMS.
[2] ImageCMS - http://www.imagecms.net - A free modern Web 3.0 content management system.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.