Posted on

[CVE-2017-17889] Kliqqi CMS - SQL Injection Vulnerability in Version 3.5.2


Product Information:

Software: Kliqqi CMS

Tested Version: 3.5.2, released 11.01.2017

Vulnerability Type: Blind SQL Injection

Description: Kliqqi is a fork of Pligg CMS


Vulnerability description:

There are is a Blind SQL Injection in Kliqqi CMS.

Steps to replicate:

  1. Create a new story
  2. Navigate to the new story (e.g. /pligg/story.php?title=sqli-poc2-story)
  3. Toggle burpsuite to intercept, and return to the browser to submit a new comment.
  4. Return back to burpsuite and append AND (SELECT * FROM (SELECT(SLEEP(5)))MBMY) to the randkey parameter
  5. Forward the request and take note of the loading icon. The application should sleep for 5 seconds before the loading icon disappears and loads Kliqqi logo.

Impact:

SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server.

Source: http://www.sqlinjection.net/risks/


Solution:

The developer of Kliqqi CMS has moved on to a new project - Plikli CMS.

Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.


Timeline:

Vulnerability found: 24.12.2017

Vendor informed: 24.12.2017

Response by vendor: 24.12.2017

Fix by vendor: 03.01.2018

Patched version released: 22.04.2018

Public Advisory: 22.04.2018


References:

https://www.plikli.com/download-plikli/