Ushahidi 2.0.1 (range param) SQL Injection Vulnerability (post-auth)

Title: Ushahidi 2.0.1 (range param) SQL Injection Vulnerability (post-auth)
Advisory ID: ZSL-2011-5016
Type: Local/Remote
Impact: Exposure of System Information, Exposure of Sensitive Information, Manipulation of Data
Risk: (3/5)
Release Date: 02.06.2011
Summary
The Ushahidi Platform is a platform for information collection, visualization and interactive mapping.
Description
Input passed via the 'range' parameter to dashboard.php is not properly sanitised in application/controllers/admin/dashboard.php before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

--------------------------------------------------------------------------------

/application/controllers/admin/dashboard.php
----------------
103: // Set the date range (how many days in the past from today?)
104: // default to one year
105: $range = (isset($_GET['range'])) ? $_GET['range'] : 365;
106:
107: if(isset($_GET['range']) AND $_GET['range'] == 0)
108: {
109: $range = NULL;
110: }
111:
112: $this->template->content->range = $range;

--------------------------------------------------------------------------------

Vendor
Ushahidi, Inc. - http://www.ushahidi.com
Affected Version
2.0.1 (Tunis)
Tested On
Microsoft Windows XP Professional SP3 (EN)
Apache 2.2.14 (Win32)
PHP 5.3.1
MySQL 5.1.41
Vendor Status
[25.05.2011] Vulnerability discovered.
[25.05.2011] Initial contact with the vendor.
[27.05.2011] Vendor replies asking more details.
[27.05.2011] Sent PoC files to vendor.
[28.05.2011] Vendor forwards issue to corresponding division.
[31.05.2011] Asked vendor for confirmation and scheduled patch release date.
[31.05.2011] Vendor replies confirming the issue and promising patch.
[02.06.2011] Coordinated public security advisory released.
PoC
ushahidi_sql.txt
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] http://dev.ushahidi.com/issues/show/2195
[2] https://github.com/ushahidi/Ushahidi_Web/commit/5721b6a063bc3143a4562a78c8efb29a0f18b20b
[3] http://www.exploit-db.com/exploits/17358/
[4] http://packetstormsecurity.org/files/101964
[5] http://secunia.com/advisories/44729
[6] http://www.securityfocus.com/bid/48100
[7] http://www.securelist.com/en/advisories/44729
[8] http://osvdb.org/show/osvdb/72675
[9] http://xforce.iss.net/xforce/xfdb/67837
[10] http://ushahidi.com/index.php/security/alert/sa-web-2011-001-ushahidi-web-single-vulnerability
Changelog
[02.06.2011] - Initial release
[03.06.2011] - Added reference [3], [4], [5] and [6]
[04.06.2011] - Added reference [7] and [8]
[07.06.2011] - Added reference [9]
[26.08.2012] - Added reference [10]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk