===============================
                   - Advisory -
          ===============================

  Tittle:   KBPublisher 6.0.2.1 - Multiple SQL Injection
    Risk:   High
    Date:   21.Aug.2019
  Author:   Pedro Andujar
 Twitter:   @pandujar


           
.: [ INTRO ] :

KBPublisher is Knowledge Management Software. It reduces the need for customer support, improves staff productivity, and eliminates 
time wasted searching for information.


.: [ TECHNICAL DESCRIPTION ] :.

KBPublisher release 6.0.2, and probably prior versions, contain multiple SQLi vulnerabilities that affect not only the admin interface but also the public (unauthenticated)
area of the application


.: [ ISSUE #1 ]:.

Name: Multiple SQLi
Severity: High
CVE: CVE-2019-10687

Affected URL's from the admin area:
https://SITE/admin/index.php?module=report&page=report_entry&entry_id%5B0%5D=325PAYLOAD&filter%5Bt%5D=1&ajax=1 (Also affecting to POST parameters)

https://SITE/admin/index.php?module=log&page=login_log&action=detail&id=PAYLOAD
 
The publicly accesible URL, correspond to the print feature:
https://SITE/index.php?View=print&id%5B%5D=PAYLOAD

During the test, it was possible to dump users and hashes of the application as any other content from the DB.


.: [ CHANGELOG ] :.

  * 21/Mar/2019:   - Vuln discovered during engagement.
  * 21/Mar/2019:   - KBP product security contacted. 
  * 22/Mar/2019:   - Replied providing workarround. 
  * 30/Apr/2019:   - New release of KBP released to public. 
  * 21/Ago/2019:   - Public disclosure.

(Kudos to Evgeny Leontev, for the excelent communication and incident handling)


.: [ SOLUTIONS ] :.

Upgrade to version 7.0 or higher.


.: [ REFERENCES ] :.

   [+] KBPublisher Release Notes
    https://www.kbpublisher.com/kb/release-notes-59/
    
   [+] Tarlogic
    https://www.tarlogic.com/

   [+] Black Arrow
    https://www.blackarrow.net




                    -=EOF=-