[CVE-2017-17889] Kliqqi CMS - SQL Injection Vulnerability in Version 3.5.2
Software: Kliqqi CMS
Tested Version: 3.5.2, released 11.01.2017
Vulnerability Type: Blind SQL Injection
Description: Kliqqi is a fork of Pligg CMS
There are is a Blind SQL Injection in Kliqqi CMS.
Steps to replicate:
- Create a new story
- Navigate to the new story (e.g. /pligg/story.php?title=sqli-poc2-story)
- Toggle burpsuite to intercept, and return to the browser to submit a new comment.
- Return back to burpsuite and append AND (SELECT * FROM (SELECT(SLEEP(5)))MBMY) to the randkey parameter
- Forward the request and take note of the loading icon. The application should sleep for 5 seconds before the loading icon disappears and loads Kliqqi logo.
SQL injection attacks will habitually allow the intruder to view data contained in the database and modify its content. However, data confidentiality and integrity is not the only concern when considering this security issue. In fact, the hacker could gain much more privileges over the database. In some cases, he could even end up acting as a system administrator of the database server.
The developer of Kliqqi CMS has moved on to a new project - Plikli CMS.
Plikli CMS v4.0 includes fix for the mentioned vulnerability in this advisory.
Vulnerability found: 24.12.2017
Vendor informed: 24.12.2017
Response by vendor: 24.12.2017
Fix by vendor: 03.01.2018
Patched version released: 22.04.2018
Public Advisory: 22.04.2018