[CVE-2012-1002] OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability

[n0b0d13s () gmail com]

 --------------------------------------------------------------------
 OpenConf <= 4.11 (author/edit.php) Blind SQL Injection Vulnerability
 --------------------------------------------------------------------
  
 author...............: Egidio Romano aka EgiX
 mail.................: n0b0d13s[at]gmail[dot]com
 software link........: http://www.openconf.com/
 affected versions....: from 4.00 to 4.11

 
 [-] Vulnerable code in /author/edit.php:
  
 104.           // get sub
 105.           $anr = ocsql_query("SELECT * FROM `" . OCC_TABLE_PAPER . "` WHERE `paperid`=" . 
safeSQLstr($_POST['pid'])) ...
 106.           if (mysql_num_rows($anr) != 1) {
 107.                   err(oc_('Submission ID or password entered is incorrect'));
 108.           }
 109.           $_POST = array_merge($_POST, mysql_fetch_assoc($anr));
  
 User input passed through $_POST['pid'] seems correctly sanitised by the safeSQLstr() function, but in the query
 at line 105  single quotes aren't  used before  concatenate the user input  into  the query string.  This can be
 exploited to conduct a  Blind SQL Injection  attack.  Successful exploitation of  this vulnerability requires at
 least a record into the 'paper' table, and 'Edit Submission' to be enabled.

 
 [-] Disclosure timeline:
  
 [27/01/2012] - Vulnerability discovered
 [01/02/2012] - Issue reported to bugs(at)openconf.com
 [02/02/2012] - Version 4.12 released: http://www.openconf.com/news/#20120202
 [02/02/2012] - CVE number requested
 [02/02/2012] - Assigned CVE-2012-1002
 [02/05/2012] - Public disclosure
 
 
 [-] Proof of concept:
 
 http://www.exploit-db.com/exploits/18820/