Secunia Research: Interact SQL Injection and Cross-Site Request Forgery

[Secunia Research <remove-vuln@xxxxxxxxxxx>]

====================================================================== 

                     Secunia Research 31/10/2008

      - Interact SQL Injection and Cross-Site Request Forgery -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

====================================================================== 
1) Affected Software

* Interact 2.4.1

NOTE: Other versions may also be affected.

====================================================================== 
2) Severity

Rating: Moderately Critical
Impact: SQL Injection
        Cross-Site Request Forgery
Where:  Remote

====================================================================== 
3) Vendor's Description of Software

"A platform for the delivery and support of online learning. It 
differs from many other elearning platforms in that its aim is to 
concentrate on the social/interactive aspects of teaching and learning
rather than the delivery of content to students."

Product Link:
http://sourceforge.net/projects/cce-interact

====================================================================== 
4) Description of Vulnerability

Secunia Research has discovered two vulnerabilities in Interact, which
can be exploited by malicious people to conduct cross-site request
forgery and SQL injection attacks.

1) Input passed to the "email_user_key" parameter in 
spaces/emailuser.php is not properly sanitised before being used in 
SQL queries. This can be exploited to manipulate SQL queries by 
injecting arbitrary SQL code.

Successful exploitation of this vulnerability allows e.g. retrieval of
super administrator usernames and password hashes, but requires
knowledge of the database table prefix.

2) The application allows users to perform certain actions via HTTP
requests without performing any validity checks to verify the request.
This can be exploited to e.g. add new super administrator users by
enticing a logged-in super administrator to visit a malicious web 
page.

====================================================================== 
5) Solution

Apply the vendor's official patch for vulnerability #1:
http://sourceforge.net/tracker/index.php?func=detail&aid=2208205&;
group_id=69681&atid=525406

Do not browse untrusted websites while logged in.

====================================================================== 
6) Time Table

24/10/2008 - Vendor notified.
28/10/2008 - Vendor response.
30/10/2008 - The vendor publishes a patch for vulnerability #1 and
             states that he will wait with the CSRF fixes and won't 
             fix the product's CSRF issues completely.
31/10/2008 - Public disclosure.

====================================================================== 
7) Credits

Discovered by Secunia Research.

====================================================================== 
8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned 
CVE-2008-3867 (SQL injection) and CVE-2008-3868 (CSRF) for the
vulnerabilities.

====================================================================== 
9) About Secunia

Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the 
security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 
10) Verification 

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2008-44/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================