← Advisories

Ushahidi 2.0.1 (range param) SQL Injection Vulnerability (post-auth)

Medium

Advisory ID

ZSL-2011-5016

Release Date

02 June 2011

Vendor

Ushahidi, Inc. - http://www.ushahidi.com

Affected Version

2.0.1 (Tunis)

CVE

N/A

Tested On

Microsoft Windows XP Professional SP3 (EN), Apache 2.2.14 (Win32), PHP 5.3.1, MySQL 5.1.41

Summary

The Ushahidi Platform is a platform for information collection, visualization and interactive mapping.

Description

Input passed via the 'range' parameter to dashboard.php is not properly sanitised in application/controllers/admin/dashboard.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

/application/controllers/admin/dashboard.php
----------------
// Set the date range (how many days in the past from today?)
       //    default to one year
       $range = (isset($_GET['range'])) ? $_GET['range'] : 365;

       if(isset($_GET['range']) AND $_GET['range'] == 0)
       {
           $range = NULL;
       }

       $this->template->content->range = $range;

Proof of Concept

ushahidi_sql.txtTXT

Disclosure Timeline

25.05.2011Vulnerability discovered.

25.05.2011Initial contact with the vendor.

27.05.2011Vendor replies asking more details.

27.05.2011Sent PoC files to vendor.

28.05.2011Vendor forwards issue to corresponding division.

31.05.2011Asked vendor for confirmation and scheduled patch release date.

31.05.2011Vendor replies confirming the issue and promising patch.

02.06.2011Coordinated public security advisory released.

Credits