Share
===============================  
- Advisory -  
===============================  
  
Tittle: KBPublisher 6.0.2.1 - Multiple SQL Injection  
Risk: High  
Date: 21.Aug.2019  
Author: Pedro Andujar  
Twitter: @pandujar  
  
  
  
.: [ INTRO ] :  
  
KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates   
time wasted searching for information.  
  
  
.: [ TECHNICAL DESCRIPTION ] :.  
  
KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)  
area of the application  
  
  
.: [ ISSUE #1 ]:.  
  
Name: Multiple SQLi  
Severity: High  
CVE: CVE-2019-10687  
  
Affected URL's from the admin area:  
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)  
  
https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD  
  
The publicly accesible URL, correspond to the print feature:  
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD  
  
During the test, it was possible to dump users and hashes of the application as any other content from the DB.  
  
  
.: [ CHANGELOG ] :.  
  
* 21/Mar/2019: - Vuln discovered during engagement.  
* 21/Mar/2019: - KBP product security contacted.   
* 22/Mar/2019: - Replied providing workarround.   
* 30/Apr/2019: - New release of KBP released to public.   
* 21/Ago/2019: - Public disclosure.  
  
(Kudos to Evgeny Leontev, for the excelent communication and incident handling)  
  
  
.: [ SOLUTIONS ] :.  
  
Upgrade to version 7.0 or higher.  
  
  
.: [ REFERENCES ] :.  
  
[+] KBPublisher Release Notes  
https://www.kbpublisher.com/kb/release-notes-59/  
  
[+] Tarlogic  
https://www.tarlogic.com/  
  
[+] Black Arrow  
https://www.blackarrow.net  
  
  
  
  
-=EOF=-