Vendor: Ushahidi, Inc.
Product web page: http://www.ushahidi.com
Affected version: 2.0.1 (Tunis)
Summary: The Ushahidi Platform is a platform for information
Collection, visualization and interactive mapping.
Desc: Input passed via the range parameter to dashboard. php is
Not properly sanitised in application/controllers/admin/dashboard. php
Before being used in SQL queries. This can be exploited to manipulate
SQL queries by injecting arbitrary SQL code.
-------------------------------------------------------
Applicationcontrollersadmindashboard. php
Lines: 103-112:
-------------------------------------------------------
// Set the date range (how many days in the past from today ?)
// Default to one year
$ Range = (isset ($ _ GET [range])? $ _ GET [range]: 365;
If (isset ($ _ GET [range]) AND $ _ GET [range] = 0)
{
$ Range = NULL;
}
$ This-> template-> content-> range = $ range;
-------------------------------------------------------
Tested on: Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vulnerability discovered by Gjoko LiquidWorm Krstic
Liquidworm gmail com
Advisory ID: ZSL-2011-5016
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5016.php
Vendor Advisory: http://dev.ushahidi.com/issues/show/2195
25.05.2011
----
PoC:
-Http://www.bkjia.com/index.php/admin/dashboard? Range = 1 [SQLi]