WebsiteBaker Community Forum

WebsiteBaker => Security Announcements => Topic started by: DarkViper on February 26, 2016, 11:08:51 AM

Title: Warning: SQL Injection vulnerability
Post by: DarkViper on February 26, 2016, 11:08:51 AM

!! Warning !! on Wed, 24 Feb 2016 we got this notification:

Quote

Advisory ID: HTB23296
Reference: https://www.htbridge.com/advisory/HTB23296 (https://www.htbridge.com/advisory/HTB23296)
Product: WebsiteBaker
Vendor: WebsiteBaker Org e.V. ( http://WebsiteBaker.org/ (http://WebsiteBaker.org/) )
Vulnerable Version(s): 2.8.3-SP5 and probably prior
Tested Version: 2.8.3-SP5
Public Disclosure: March 16, 2016
Vulnerability Type: SQL Injection [CWE-89]
Risk Level: Critical
CVSSv3 Base Score: 10 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H]
Discovered and Provided: High-Tech Bridge Security Research Lab

That SQL Injection vulnerability is present in all WB Versions less then 2.8.3-SP6.
It allows privilege escalation as well as a complete overtaking of the whole database and the server possibly too.

*** We strongly recommend to upgrade all former installations up to the newest 2.8.3+SP7 (http://addon.WebsiteBaker.org/pages/en/browse-add-ons.php?id=0EDA9662) as soon as possible. ***

Right now we check out for similar vulnerabilities to fix it before WB 2.8.3+SP7 become stable state.

Take care: All of the previous versions before WB 2.8.3+SP6 are prone to attacks!! It is your own decision only to get a secure system!
You can get the Downloads from our Wiki (http://wiki.WebsiteBaker.org/doku.php/en/downloads) and the Addon repository (http://addon.WebsiteBaker.org/pages/en/browse-add-ons.php?id=0EDA9662) too.

Downloads from any other sources are not official WebsiteBaker downloads and should be taken carefull. We can not promise a 'fault free' work for!

have fun with WebsiteBaker,

Manuela