[CVE-2017-17902] Kliqqi CMS – SQL Injection Vulnerability in Version 3.5.2

[CVE-2017-17902] Kliqqi CMS – SQL Injection Vulnerability in Version 3.5.2


Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Blind SQL Injection

Description: Kliqqi is a fork of Pligg CMS


Vulnerability description:

There is a Blind SQL Injection in Kliqqi CMS.

Steps to replicate:

  1. Create a new story
  2. Navigate to the new story (e.g. /pligg/story.php?title=sqli-poc2-story)
  3. Toggle the burp suite to intercept, and return to the browser to submit a new comment.
  4. Return back to burpsuite and append AND (SELECT * FROM (SELECT(SLEEP(5)))MBMY) to the randkey parameter
  5. Forward the request and take note of the loading icon. The application should sleep for 5 seconds before the loading icon disappears and loads the Kliqqi logo.

Impact:

SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server.

Source: http://www.sqlinjection.net/risks/


Solution:

The developer of Kliqqi CMS has moved on to a new project – Plikli CMS.

Plikli CMS v4.0 includes a fix for the mentioned vulnerability in this advisory.


Timeline:

Vulnerability found: 24.12.2017

The vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

The patched version released: 22.04.2018

Public Advisory: 22.04.2018


References:

https://www.plikli.com/download-plikli/