ITAS Team found out a SQL Injection vulnerability in Redaxscript 2.2.0 CMS

ITAS Team found out a SQL Injection vulnerability in Redaxscript 2.2.0 CMS

ITAS Team found out a SQL Injection vulnerability in Redaxscript 2.2.0 CMS . The issue is due to the some scripts not properly sanitizing user-supplied input-data. This may allows remote attackers to execute arbitrary SQL commands via that parameter.
Individuals and organizations are using this should update the latest patch Redaxscript 2.3.0.

Vulnerability information:
– Vulnerability: SQL injection
– Vendor: http://redaxscript.com/
– Download link: http://redaxscript.com/download/releases
– Affected version: Redaxscript 2.2.0
– Fix version: Redaxscript 2.3.0
– Author: Pham Kien Cuong (cuong.k.pham@itas.vn) & ITAS Team (www.itas.vn)
– CVE ID: CVE-2015-1518

::VULNERABILITY DETAIL::
POST /redaxscript/ HTTP/1.1
Host: target.local
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: PHPSESSID=khtnnm1tvvk3s12if0no367872; GEAR=local-5422433b500446ead50002d4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 96

search_terms=[SQL INJECTION HERE]&search_post=&token=24bcb285bc6f5c93203e4f95d9f2008331faf294&search_post=Search

– Vulnerable parameter: $search_terms
– Vulnerable file: redaxscript/includes/search.php
– Vulnerable function: search_post()
– Vulnerable code:
function search_post()
{
/* clean post */
if (ATTACK_BLOCKED < 10) { $search_terms = clean($_POST[‘search_terms’], 5); } /* validate post */ if (strlen($search_terms) < 3 || $search_terms == l(‘search_terms’)) { $error = l(‘input_incorrect’); } /* query results */ else { $search = array_filter(explode(‘ ‘, $search_terms)); $search_keys = array_keys($search); $last = end($search_keys); /* query search */ $query = ‘SELECT id, title, alias, description, date, category, access FROM ‘ . PREFIX . ‘articles WHERE (language = ” . RedaxscriptRegistry::get(‘language’) . ” || language = ”) && status = 1′; if ($search) { $query .= ‘ && (‘; foreach ($search as $key => $value)
{
$query .= ‘title LIKE ‘%’ . $value . ‘%’ || description LIKE ‘%’ . $value . ‘%’ || keywords LIKE ‘%’ . $value . ‘%’ || text LIKE ‘%’ . $value . ‘%”;
if ($last != $key)
{
$query .= ‘ || ‘;
}
}
$query .= ‘)’;
}
$query .= ‘ ORDER BY date DESC LIMIT 50’;
$result = RedaxscriptDb::forTablePrefix(‘articles’)->rawQuery($query)->findArray();
$num_rows = count($result);
if ($result == ” || $num_rows == ”)
{
$error = l(‘search_no’);
}
/* collect output */
else if ($result)
{
$accessValidator = new RedaxscriptValidatorAccess();
$output = ‘
‘ . l(‘search’) . ”;
$output .= form_element(‘fieldset’, ”, ‘set_search_result’, ”, ”, ” . l(‘articles’) . ”) . ‘ ‘;
foreach ($result as $r)
{
$access = $r[‘access’];
/* if access granted */
if ($accessValidator->validate($access, MY_GROUPS) === RedaxscriptValidatorValidator::PASSED)
{
if ($r)
{
foreach ($r as $key => $value)
{
$$key = stripslashes($value);
}
}
/* prepare metadata */
if ($description == ”)
{
$description = $title;
}
$date = date(s(‘date’), strtotime($date));
/* build route */
if ($category == 0)
{
$route = $alias;
}
else
{
$route = build_route(‘articles’, $id);
}
/* collect item output */
$output .= ‘
‘ . anchor_element(‘internal’, ”, ‘link_search_result’, $title, $route, $description) . ” . $date . ‘
‘;
}
else
{
$counter++;
}
}
$output .= ”;
/* handle access */
if ($num_rows == $counter)
{
$error = l(‘access_no’);
}
}
}
/* handle error */
if ($error)
{
notification(l(‘something_wrong’), $error);
}
else
{
echo $output;
}
}

:: SOLUTION ::
Update to Redaxscript 2.3.0

::INFORMATION DISCLOSURE::
– 11/27/2014: Inform the vendor
– 11/28/2014: Vendor confirmed
– 01/29/2015: Vendor releases patch
– 01/05/2015: ITAS Team publishes information

DEMONSTRATION VIDEO

References:
– http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1518
– http://www.exploit-db.com/exploits/36023/