Secunia Research: Interact SQL Injection and Cross-Site Request Forgery
======================================================================
Secunia Research 31/10/2008
- Interact SQL Injection and Cross-Site Request Forgery -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* Interact 2.4.1
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Moderately Critical
Impact: SQL Injection
Cross-Site Request Forgery
Where: Remote
======================================================================
3) Vendor's Description of Software
"A platform for the delivery and support of online learning. It
differs from many other elearning platforms in that its aim is to
concentrate on the social/interactive aspects of teaching and learning
rather than the delivery of content to students."
Product Link:
http://sourceforge.net/projects/cce-interact
======================================================================
4) Description of Vulnerability
Secunia Research has discovered two vulnerabilities in Interact, which
can be exploited by malicious people to conduct cross-site request
forgery and SQL injection attacks.
1) Input passed to the "email_user_key" parameter in
spaces/emailuser.php is not properly sanitised before being used in
SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
Successful exploitation of this vulnerability allows e.g. retrieval of
super administrator usernames and password hashes, but requires
knowledge of the database table prefix.
2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the request.
This can be exploited to e.g. add new super administrator users by
enticing a logged-in super administrator to visit a malicious web
page.
======================================================================
5) Solution
Apply the vendor's official patch for vulnerability #1:
http://sourceforge.net/tracker/index.php?func=detail&aid=2208205&
group_id=69681&atid=525406
Do not browse untrusted websites while logged in.
======================================================================
6) Time Table
24/10/2008 - Vendor notified.
28/10/2008 - Vendor response.
30/10/2008 - The vendor publishes a patch for vulnerability #1 and
states that he will wait with the CSRF fixes and won't
fix the product's CSRF issues completely.
31/10/2008 - Public disclosure.
======================================================================
7) Credits
Discovered by Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has assigned
CVE-2008-3867 (SQL injection) and CVE-2008-3868 (CSRF) for the
vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the
security and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-44/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================