Second high risk flaw in 2 months found in articleFR
Read Time: 2 min.
High-Tech Bridge operates a responsible disclosure policy. When our researchers find a vulnerability we file a report to the vendor, which contains all details about the vulnerability and a PoC (Proof-of-Concept) code, that can be used to confirm its existence.
High-Tech Bridge operates a responsible disclosure policy. When our researchers find a vulnerability we file a report to the vendor, which contains all details about the vulnerability and a PoC (Proof-of-Concept) code, that can be used to confirm its existence. High-Tech Bridge also has a responsibility to users - so it gives the vendor several weeks to fix the flaw before moving to full disclosure.
The clock is currently ticking for Free RePrintables, supplier of articleFR - an open source article directory system written in PHP+MySQL, and claims to be able to "hold millions of data and still function normally."
High-Tech Bridge researchers have discovered a SQL injection flaw in the latest version (3.0.4) which most likely also exists in earlier versions. The flaw itself is of type CWE-89, a failure to properly neutralize SQL input elements, potentially allowing a SQL command to be arbitrarily modified. The CWE/Mitre website explains: "This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands..."
It goes on to add that type CWE-89 flaws are easily exploited, and as such, any site or software package with even a minimal user base is likely to be subject to an attempted attack of this kind.
This vulnerability carries a high risk for articleFR users. In fact, SQL injection vulnerabilities have led to some of the most serious breaches of the last few years. Last month the Wall Street Journal announced that its network had been breached (via SQLi), and user credentials were offered for sale that would allow a buyer to "modify articles, add new content, insert malicious content in any page, add new users, delete users and so on."
At the end of last year, the FBI admitted that a year-long campaign by Anonymous had led to the breach of a number of its servers via SQLi vulnerabilities. And the massive theft of 50 million user details from LivingSocial customers last year also came via a SQLi flaw. Even the compromise of security firm Bit9 started with the cybercriminals exploiting a SQLi vulnerability. The list is seemingly endless.
The problem here is that Free RePrintables has history. High-Tech Bridge found a different flaw back on June 11 2014. That one was an improper access control flaw (type CWE-284). High-Tech Bridge’s advisory explained:
"A remote attacker can modify or delete information stored in database and gain complete control over the application."
Once again the articleFR flaw carries a high risk to its users – and you would expect the vendor, given such an alert, would respond with some haste. Free RePrintables did not. Between the June discovery and High-Tech Bridge’s full disclosure on July 30, High-Tech Bridge contacted Free RePrintables about this vulnerability on six separate occasions, and even raised the issue (26 June) on GitHub. One day later, the vendor stated that the flaw had been fixed, which was later amended to will be ‘fixed in an upcoming version’.
It has not been fixed. On 16 July, High-Tech Bridge’s researchers verified that it still existed in the then latest version, 3.0.2. On 27 July, Free RePrintables locked down GitHub so that High-Tech Bridge could make no further comments.
By 30 July, High-Tech Bridge researchers verified that the flaw still exists in the latest version (now 3.0.4), and that it was getting nowhere in discussions with the vendor. It went to ‘full disclosure’.
But rather than leave articleFR customers fully exposed to a high risk vulnerability, the High-Tech Bridge researchers developed their own fix for the flaw, and made this freely available: https://www.immuniweb.com/advisory/HTB23219-patch.zip.
Given this history of delay and denial, what hope that Free RePrintables will act with any more urgency over the new SQL injection flaw?
"All software has bugs", comments High-Tech Bridge Chief Research Officer Marsel Nizamutdinov. "That’s the reality. If we want to make the internet a more secure and safer place, we need to find and fix these bugs before the criminals find and exploit them."
High-Tech Bridge researchers help find the flaws – but it is then up to the vendor to fix them.
"We created a patch for the first articleFR flaw, because we don’t want to leave the users in the lurch. But it is and can only be a stop-gap. Fixes have to come from the vendor, so that they are built into the application and get carried forwards. We hope that Free RePrintables doesn’t let things slide with this latest vulnerability. We’re here to help – but it is up to the vendor to fix the flaws."