Authenticated boolean-based blind & error-based SQL injection on b2evolution 7.2.2-stable (CVE-2021–28242)

Product: b2evolution 7.2.2-stable

Vulnerability Title: Authenticated Blind & Error SQL injection

Identifier: Owasp Top 10: Injection

Detailed description: It was found that when we create a new filter under the Collections tab as a moderator user privilege, evoadm.php is given a get request with cf_name and with all other parameters where name is the cf_name and it is vulnerable to boolean-based blind & error-based SQL injection.

Steps to reproduce:

1. Login to http://server_ip/b2evolution/evoadm.php as moderator user privilege.

Admin login page

2. Click on Collections → Custom filters → input single quote (‘) and click on Apply filters

3. The above point will through a bunch of SQL errors which confirms that the cf_name is vulnerable to SQL injection.

The SQL error against the parameter cf_name

4. After confirming that cf_name is vulnerable to SQL injection feeding the request to SQLMAP and it will do the rest of the work for you.

The result of SQLMAP against the cf_name parameter

Command Execution via sqlmap:

command execution via sqlmap

Reported date: 24–02–2021

Fixed date: 26–02–2021

Fixed Version: b2evolution 7.2.3-stable

CVE: CVE-2021–28242

Fixed CMS: https://github.com/b2evolution/b2evolution/releases/tag/7.2.3

Vulnerable CMS: https://github.com/b2evolution/b2evolution/releases/tag/7.2.2

Discoverers:
Avinash — https://www.linkedin.com/in/deadshot/
Balaji Ayyasamy — https://www.linkedin.com/in/balaji-ayyasamy-aa540b109/
Parthasarathi S — https://www.linkedin.com/in/parthasarathi-s-62b8411a4/
Zacco Cyber Security Research Labs, Coimbatore, India.