| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 2 Nov 2016 09:52:41 +0200 From: Elar Lang <elarlang@...il.com> To: fulldisclosure@...lists.org Subject: Re: [FD] Multiple SQL injection vulnerabilities in dotCMS (8x CVE) On Tue, Nov 1, 2016 at 5:05 PM, Brandon Perry <bperry.volatile@...il.com> wrote: > >> On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang@...il.com> wrote: >> >> Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) >> Credit: Elar Lang / https://security.elarlang.eu >> Vendor/Product: dotCMS (http://dotcms.com/) >> Vulnerability: SQL injection >> Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) >> CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, >> CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 >> >> >> # Multiple SQL injections in dotCMS framework. >> >> >> ## CVE-2016-8902 - categoriesServlet, sort >> > > I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I perform this request. > > GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1 > Host: 10.211.55.37:8080 > User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 > Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 > Accept-Language: en-US,en;q=0.5 > Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F > Accept-Encoding: gzip, deflate > Connection: keep-alive > Upgrade-Insecure-Requests: 1 > > > In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a simple 200. > > HTTP/1.1 200 OK > Server: Apache-Coyote/1.1 > SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/ > SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/ > Cache-Control: public, no-store, no-cache, max-age=0 > Pragma: no-cache > Expires: Tue, 01 Nov 2016 14:55:34 GMT > Content-Type: text/plain;charset=utf-8 > Content-Length: 0 > Date: Tue, 01 Nov 2016 14:55:34 GMT > > > What versions exactly did you test against to reproduce this and what was the setup? > > I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that. > > Thanks! > > Public response also: #1 I tested it during one pen-test case in December 2015. Exact version was 3.2.1. I haven't set up this environment myself. At the moment I used "Google Hacking" to find some dotCMS. Use search phrase inurl:/html/portal/login.jsp From login page you can see, what is the current version on this site, change path to /categoriesServlet and you probably can see the output like I described in my blog post. I saw described output from different versions, like 2.5.4, 3.2.1, 3.5, 3.6. From one site I also got an error - so, maybe there are some other pre-conditions which I don't know. If you can figure it out, share it with others also. #2 You can not use UNION after ORDER BY statement, this is the way how SQL works. And if you have vulnerability in order by or sort parameter, then your entrypoint is after ORDER BY statement Elar _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists