Chatelao PHP Address Book 8.2.5 var sql injection

Summaryinfo

A vulnerability has been found in Chatelao PHP Address Book 8.2.5 and classified as critical. Affected by this issue is some unknown functionality of the component Address Book. This manipulation of the argument var causes sql injection. This vulnerability is registered as CVE-2013-0135. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

Detailsinfo

A vulnerability classified as critical was found in Chatelao PHP Address Book 8.2.5 (Programming Language Software). Affected by this vulnerability is an unknown part of the component Address Book. The manipulation of the argument var with an unknown input leads to a sql injection vulnerability. The CWE definition for the vulnerability is CWE-89. The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

Multiple SQL injection vulnerabilities in PHP Address Book 8.2.5 allow remote attackers to execute arbitrary SQL commands via the id parameter to (1) addressbook/register/delete_user.php, (2) addressbook/register/edit_user.php, or (3) addressbook/register/edit_user_save.php; the email parameter to (4) addressbook/register/edit_user_save.php, (5) addressbook/register/reset_password.php, (6) addressbook/register/reset_password_save.php, or (7) addressbook/register/user_add_save.php; the username parameter to (8) addressbook/register/checklogin.php or (9) addressbook/register/reset_password_save.php; the (10) lastname, (11) firstname, (12) phone, (13) permissions, or (14) notes parameter to addressbook/register/edit_user_save.php; the (15) q parameter to addressbook/register/admin_index.php; the (16) site parameter to addressbook/register/linktick.php; the (17) password parameter to addressbook/register/reset_password.php; the (18) password_hint parameter to addressbook/register/reset_password_save.php; the (19) var parameter to addressbook/register/traffic.php; or a (20) BasicLogin cookie to addressbook/register/router.php.

The weakness was published 04/08/2013 as confirmed advisory (CERT.org). It is possible to read the advisory at kb.cert.org. This vulnerability is known as CVE-2013-0135 since 12/06/2012. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known. The attack technique deployed by this issue is T1505 according to MITRE ATT&CK.

It is possible to download the exploit at exploit-db.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the databases at X-Force (99623) and Exploit-DB (38435). Similar entry is available at VDB-63956. Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Productinfo

Type

• Programming Language Software

Vendor

• Chatelao

Name

• PHP Address Book

Version

• 8.2.5

License

• open-source

CPE 2.3info

• 🔍

CPE 2.2info

• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Discussion