SQL Injection Vulnerability in Subrion 4.2.1 #911
Comments
I think this one is just copy pasting from some kind of scanner. The file contains just a class so it will not execute any function using the curl request you mentioned. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
SQL Injection Vulnerability in Subrion 4.2.1
Product Information:
The software that contains the vulnerability is Subrion CMS version 4.2.1.
Problem Type:
The type of vulnerability is SQL Injection.
References:
Description:
Subrion CMS 4.2.1 is vulnerable to SQL Injection via ia.core.mysqli.php. The vulnerability is located in the method \iaDb,1::getAll(["var"]) in (216)\iaDb,1::_get(["row","MAX(order)","var","var","1"]) that outputs using tainted argument #1 ($sql). The infected line is 242. This vulnerability allows an attacker to execute arbitrary SQL commands via the application, leading to unauthorized access to the database, data leakage, and potential code execution.
Vulnerable Component(s):
The specific component of the software that is vulnerable is ia.core.mysqli.php.
Attack Vectors:
An attacker could exploit this vulnerability by sending a specially crafted request to the application, which includes malicious SQL commands. The application does not properly sanitize user input before using it in SQL queries, leading to SQL Injection.
Discoverer/Credit:
The vulnerability was discovered by Diyar Saadi Ali.
We hope this information is sufficient for your needs. Please do not hesitate to contact us if you require further details.
Best regards,
[Diyar Saadi Ali]
Vulnerability Summary
The Subrion 4.2.1 application is vulnerable to SQL Injection due to the unsafe handling of user-controlled data in the construction of SQL queries. The vulnerability is located in the method \iaDb,1::getAll(["var"]) in (216)\iaDb,1::_get(["row","MAX(order)","var","var","1"]) that outputs using tainted argument #1 ($sql). The infected line is 242.
Impact
An attacker can exploit this vulnerability to manipulate SQL queries, potentially leading to unauthorized access to sensitive information, data modification, or even full system control. Given the prevalence and potential impact of SQL Injection vulnerabilities, it is critical to address this issue promptly.
Reproducibility
The vulnerability can be reproduced using the following command:
curl -X POST -d "id=1%E2%80%98%20or%201%3D1--" https://site.com/includes/classes/ia.base.controller.admin.php
Validation and Analysis
To validate and analyze this vulnerability, we can use a combination of static and dynamic analysis tools, such as:
Static Analysis Tools: Tools like SonarQube or Fortify can help identify SQL Injection vulnerabilities in the source code.
Dynamic Analysis Tools: Tools like OWASP ZAP or Burp Suite can help identify vulnerabilities during runtime.
Penetration Testing: Manual testing can help confirm the vulnerability and understand its impact.
Mitigation
To mitigate this vulnerability, it is recommended to separate data from SQL commands, ensuring user-controlled data can never be interpreted as SQL commands. This can be achieved by:
Here are examples of how to implement these mitigations using PDO and MySQLi:
PDO:
$stmt = $pdo->prepare('SELECT * FROM employees WHERE name = :name');
$stmt->execute([ 'name' => $name ]);
foreach ($stmt as $row) {
// Do something with $row
}
MySQLi (PHP 8.2+):
$result = $dbConnection->execute_query('SELECT * FROM employees WHERE name = ?', [$name]);
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
MySQLi (Up to PHP 8.1):
$stmt = $dbConnection->prepare('SELECT * FROM employees WHERE name = ?');
$stmt->bind_param('s', $name); // 's' specifies the variable type => 'string'
$stmt->execute();
$result = $stmt->get_result();
while ($row = $result->fetch_assoc()) {
// Do something with $row
}
Next Steps
The vulnerability details will be submitted to the board for review. The GitHub issue reported by the user will be updated with the vulnerability details and the recommended mitigation steps. The user will also be contacted to update the CVE record with their full legal name, pending verification of their identity and ownership of the pseudonym "H4
Mitigation
To mitigate this vulnerability, it is recommended to use parameterized queries or prepared statements, which can prevent SQL injection attacks by ensuring that an attacker cannot change the intent of a query, even if they insert malicious input.
In PHP, you can use the mysqli::prepare function to create a prepared statement:
$stmt = $mysqli->prepare("INSERT INTO Customers (CustomerName, ContactName, Address, City, PostalCode, Country) VALUES (?, ?, ?, ?, ?, ?)");
$stmt->bind_param("ssssss", $name, $contact, $address, $city, $postal, $country);
In this example, the ? placeholders cannot be used to change the structure of the SQL statement. They can only be used to insert data, which prevents an attacker from injecting malicious SQL.
Scope and Breadth of Affected Servers
To determine the scope and breadth of affected servers and websites running a vulnerable version of Subrion, you can use OSINT (Open Source Intelligence) tools such as Shodan, Censys, or BinaryEdge. These tools can scan the internet and find servers running specific software or versions of software.
For example, you can use Shodan with a query like http.title:"Subrion CMS 4.2.1" to find servers running this specific version of Subrion.
Ascertaining Scope, Criticality, Number of affected servers(s), Potential Alerting/Detection Mechanisms, and Mitigation
In addition to BuiltWith.com (freemium/paywall for complete reports) there are other OSINT tools to determine the number of potentially vulnerable systems in the wild:
Sure, here's a high-level step-by-step guide on how to use each of these platforms:
Wappalyzer:
WhatCMS:
Netcraft Site Report:
SimilarTech:
Pingdom:
SpyOnWeb:
Remember to use these tools responsibly and respect the privacy of the websites you're analyzing. Unauthorized scanning or probing of networks can be illegal and unethical. Always obtain proper permissions before conducting any security testing.
Mapping this SQL Injection vulnerability to MITRE ATT&CK TTPs (Tactics, Techniques, and Procedures), we can associate it with the following:
This technique involves taking advantage of vulnerabilities in public-facing web applications to gain access to a system.
For YARA rule creation, we can create a rule that looks for the specific SQL Injection pattern in network traffic or log files:
rule SQLi_Subrion_CMS_421
{
meta:
description = "Detects SQL Injection attack on Subrion CMS 4.2.1"
author = "Diyar Saadi Ali"
reference = "CVE-2024-25400"
strings:
$sqli_pattern = /1%E2%80%98%20or%201%3D1--/
condition:
$sqli_pattern
}
For SIGMA rule creation, we can create a rule that looks for the specific SQL Injection pattern in web server logs:
title: SQL Injection Attack on Subrion CMS 4.2.1
id: 12345678-abcd-1234-abcd-123456789abc
status: experimental
description: Detects SQL Injection attack on Subrion CMS 4.2.1
author: Your Name
references:
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25400
logsource:
category: webserver
product: apache|nginx
detection:
keywords:
- '1%E2%80%98%20or%201%3D1--'
condition: keywords
falsepositives:
- Legitimate queries that coincidentally contain the SQLi pattern
level: high
For Kibana Query Language (KQL), we can create a query that looks for the specific SQL Injection pattern in web server logs:
message: "1%E2%80%98%20or%201%3D1--"
2.Google Dorks
Google Dorks are powerful tools that can help you find specific information on the web. However, they should be used responsibly and ethically. Here are a few Google Dorks that could potentially help you find websites running Subrion CMS:
inurl:"/subrion/": This dork will return sites that have "/subrion/" in their URL, which is a common path for Subrion CMS installations.
inurl:"/subrion/admin/": This dork will return sites that have "/subrion/admin/" in their URL, which is a common path for Subrion CMS admin panels.
inurl:"/subrion/admin.dashboard.php": This dork will return sites that have "/subrion/admin.dashboard.php" in their URL, which is a common path for Subrion CMS admin dashboards.
inurl:"/subrion/admin.sitemap.php": This dork will return sites that have "/subrion/admin.sitemap.php" in their URL, which is a common path for Subrion CMS sitemap pages.
inurl:"/subrion/panel/": This dork will return sites that have "/subrion/panel/" in their URL, which is a common path for Subrion CMS control panels.
Whois: You can use the whois command in the terminal or use online Whois lookup services to find the contact information for a domain. The Whois record usually includes the email address of the domain owner.
.well-known/security.txt: Some websites have a "security.txt" file in their ".well-known" directory (e.g., https://example.com/.well-known/security.txt). This file usually contains contact information for reporting security issues.
Website Contact Form or Email: If the website has a contact form or a listed email address, you can use these methods to report the vulnerability.
Ethical Disclosure
It's important to follow ethical disclosure guidelines when reporting vulnerabilities. This means you should:
The text was updated successfully, but these errors were encountered: