Authenticated boolean-based blind & error-based SQL injection on b2evolution 7.2.2-stable (CVE-2021–28242)
Product: b2evolution 7.2.2-stable
Vulnerability Title: Authenticated Blind & Error SQL injection
Identifier: Owasp Top 10: Injection
Detailed description: It was found that when we create a new filter under the Collections tab as a moderator user privilege, evoadm.php is given a get request with cf_name and with all other parameters where name is the cf_name and it is vulnerable to boolean-based blind & error-based SQL injection.
Steps to reproduce:
1. Login to http://server_ip/b2evolution/evoadm.php as moderator user privilege.
2. Click on Collections → Custom filters → input single quote (‘) and click on Apply filters
3. The above point will through a bunch of SQL errors which confirms that the cf_name is vulnerable to SQL injection.
4. After confirming that cf_name is vulnerable to SQL injection feeding the request to SQLMAP and it will do the rest of the work for you.
Command Execution via sqlmap:
Reported date: 24–02–2021
Fixed date: 26–02–2021
Fixed Version: b2evolution 7.2.3-stable
Vulnerable CMS: https://github.com/b2evolution/b2evolution/releases/tag/7.2.2
Avinash — https://www.linkedin.com/in/avinashranalyst/
Balaji Ayyasamy — https://www.linkedin.com/in/balaji-ayyasamy-aa540b109/
Parthasarathi S — https://www.linkedin.com/in/parthasarathi-s-62b8411a4/
Zacco Cyber Security Research Labs, Coimbatore, India.