glFusion 1.3.0 - Blind SQL Injection
Advisory ID: RO-13-001
Severity: Critical
Vendor: glFusion
Product: glFusion CMS
Version: 1.3.0


Overview #

A critical Blind SQL Injection vulnerability exists in glFusion CMS version 1.3.0, affecting the Media Gallery search functionality. The vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands and potentially compromise the entire database.


Vulnerability Details #

Affected Versions: 1.3.0 and earlier

Location: /mediagallery/search.php

Affected Parameter: cat_id

Root Cause: The vulnerability exists due to insufficient input validation on the cat_id parameter. User-supplied input is directly concatenated into an SQL query without proper sanitization or parameterized queries, allowing attackers to inject malicious SQL statements.


Exploitation Requirements #

    No authentication required
    Media Gallery module must be enabled
    Direct access to the search endpoint

Impact #

Remote attackers can exploit this vulnerability to:

    Extract sensitive data from the database (usernames, passwords, emails)
    Bypass authentication mechanisms
    Modify or delete database content
    Potentially gain administrative access to the CMS

Proof of Concept #

POST /mediagallery/search.php HTTP/1.1
Host: target.com
Content-Type: application/x-www-form-urlencoded

cat_id='+(SELECT 1 FROM (SELECT SLEEP(25))A)+'

Time-based Blind SQL Injection: If the server response is delayed by 25 seconds, the target is vulnerable.


Solution #

Upgrade to glFusion version 1.3.1 or later, which includes proper input sanitization for the affected parameter.


References #

    Invicti Advisory NS-13-009
    Exploit-DB 28185
    Vendor Patch

Timeline:

    [2013-09-05] - First contact
    [2013-09-06] - Fix released
    [2013-09-09] - Advisory released

Credits: Omar Kurt