[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] Blind SQL injections in CivicRM
- To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "fulldisclosure@xxxxxxxxxxxx" <fulldisclosure@xxxxxxxxxxxx>
- Subject: [FD] Blind SQL injections in CivicRM
- From: "Simon Waters (Surevine)" <simon.waters@xxxxxxxxxxxx>
- Date: Fri, 8 Apr 2016 18:17:15 +0100
CivicRM extends common CMS platforms (WordPress, Drupal) with a module to
manage Civic campaigns, tracking donors, amounts, and campaign CRM type
activity.
I tested the WordPress integration of CivicRM 4.7b3 which was found to have
blind SQL Injections that allow authenticated users to download arbitrary
database content.
The first was in the columns[0][data] parameter when querying a contact
relationship in the AJAX query.
http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/ajax/contactrelationships&context=current&cid=3&draw=1&columns[0][data]=relation%2c%28select*from%28select%28sleep%2820%29%29%29a%29&..
The actual code path in the PHP was rather convoluted.
The second was in the subType parameter when performing.
http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcustom&type=Campaign&subType=3%25%27OR+1%3D1+OR+civicrm_custom_group.extends_entity_column_value%3D%27&entityID=1&cgcount=1&snippet=json
<http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/custom&type=Campaign&subType=3%'OR+1=1+OR+civicrm_custom_group.extends_entity_column_value='&entityID=1&cgcount=1&snippet=json>
The ease of detection and exploitation of this later issue varies depending
whether custom fields exist.
These issues were notified to CivicRM project on 2015-12-21
A reminder was sent 2016-02-05
No recent correspondence has been received on the matter.
CivicRM have recently performed a security release, there is no indication in
the release notes or bug tracking tool as to whether these issues have been
addressed or not.
Both injections allow authenticated users to download arbitrary database
content (typically this is the same database as the CMS), this may include low
privileged WordPress users such as “author”.
Users of CivicRM may want to ensure only trusted users are permitted access to
the relevant CMS as role based restrictions will not correctly control access
to sensitive data, or deploy WAF like measures (mod-security etc) to further
mitigate any risk.
The issues were identified using Burp-Suite Pro.
The first of these issues can be automatically exploited by SQLmap, so the
skill needed to perform the exploit is minimal.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/