Author Topic: Warning: SQL Injection vulnerability  (Read 3850 times)

Offline DarkViper

  • Forum administrator
  • *****
  • Posts: 2978
  • Gender: Female
Warning: SQL Injection vulnerability
« on: February 26, 2016, 11:08:51 AM »
!! Warning !! on Wed, 24 Feb 2016 we got this notification:
Quote
Advisory ID: HTB23296
Reference: https://www.htbridge.com/advisory/HTB23296
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V. ( http://WebsiteBaker.org/ )
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Public Disclosure: March 16, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Discovered and Provided: High-Tech Bridge Security Research Lab


That SQL Injection vulnerability is present in all WB Versions less then 2.8.3-SP6.
It allows privilege escalation as well as a complete overtaking of the whole database and the server possibly too.

*** We strongly recommend to upgrade all former installations up to the newest 2.8.3+SP7 as soon as possible. ***

Right now we check out for similar vulnerabilities to fix it before WB 2.8.3+SP7 become stable state.

Take care: All of the previous versions before WB 2.8.3+SP6 are prone to attacks!! It is your own decision only to get a secure system!
You can get the Downloads from our Wiki and the Addon repository too.

Downloads from any other sources are not official WebsiteBaker downloads and should be taken carefull. We can not promise a 'fault free' work for!

have fun with WebsiteBaker,

Manuela
« Last Edit: August 06, 2016, 12:52:20 PM by DarkViper »
Der blaue Planet - er ist nicht unser Eigentum - wir haben ihn nur von unseren Nachkommen geliehen

"You have to take the men as they are… but you can not leave them like that !" :-P
Das tägliche Stoßgebet: Oh Herr, wirf ihnen Hirn vom Himmel !

 

postern-length