XenAPI v1.4.1 for XenForo Multiple Unauthenticated SQL Injections

ADVISORY INFORMATION

• Product: XenAPI for XenForo
• Vendor URL: github.com/Contex/XenAPI
• CWE: SQL Injection [CWE-89]
• Date found: 2016-05-20
• Date published: 2016-05-23
• CVSS Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
• CVE: -

CREDITS

This vulnerability was discovered and researched by Julien Ahrens from RCE Security.

VERSIONS AFFECTED

XenAPI for XenForo v1.4.1 older versions may be affected too but were not tested.

INTRODUCTION

This Open Source REST API allows usage of several of XenForo’s functions, such as authentication, user information and many other functions!

(from the vendor’s homepage)

VULNERABILITY DETAILS

The plugin “XenAPI” for XenForo offers a REST Api with different functions to query and edit information from the XenForo database backend. Amongst those are “getGroup” and “getUsers”, which can be called without authentication (default) and since the application does not properly validate and sanitize the “value” parameter, it is possible to inject arbitrary SQL commands into the XenForo backend database.

The following proof-of-concepts exploit each vulnerable REST action and extract the hostname of the server:

https://127.0.0.1/api.php?action=getUsers&value=' UNION ALL SELECT
CONCAT(IFNULL(CAST(%40%40HOSTNAME AS CHAR)%2C0x20))%2CNULL%23

https://127.0.0.1/api.php?action=getGroup&value=' UNION ALL SELECT
NULL%2CNULL%2CNULL%2CNULL%2CNULL%2CCONCAT(IFNULL(CAST(%40%40HOSTNAME AS
CHAR)%2C0x20))%2CNULL%23

RISK

The vulnerability allows remote attackers to read sensitive information from the XenForo database like usernames and passwords. Since the affected REST actions do not require an authentication hash, these vulnerabilities can be exploited by an unauthenticated attacker.

SOLUTION

Update to the latest version v1.4.2

REPORT TIMELINE

• 2016-05-20: Discovery of the vulnerability
• 2016-05-20: Notified vendor via contact address
• 2016-05-20: Vendor provides update for both issues
• 2016-05-21: Provided update fixes the reported issues
• 2016-05-21: Vendor publishes update
• 2016-05-23: Advisory released

REFERENCES

• https://github.com/Contex/XenAPI/commit/00a737a1fe45ffe5c5bc6bace44631ddb73f2ecf
• https://xenforo.com/community/resources/xenapi-xenforo-php-rest-api.902/update?update=19336