lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <292C19F1-A851-42B8-94E6-2C67AEA3D2BD@wearesegment.com>
Date: Mon, 8 Feb 2016 09:55:38 +0100
From: Filippo Cavallarin <filippo.cavallarin@...resegment.com>
To: bugtraq@...urityfocus.com
Subject: Symphony CMS multiple vulnerabilities

Advisory ID: SGMA-16002
Title: Symphony CMS multiple vulnerabilities
Product: Symphony CMS
Version: 2.6.5 and probably prior
Vendor: www.getsymphony.com
Vulnerability type:	SQL-injection, Unrestriced File Upload
Risk level:	4 / 5
Credit:	filippo.cavallarin@...resegment.com
CVE: N/A
Vendor notification: 2016-02-02
Vendor fix: 2016-02-05
Public disclosure: 2016-02-08


Details

Symphony CMS suffers from multiple vulnerabilities:

- SQL Injection

The	contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request
parameter "query" is used to build a sql query without beeing properly sanitized.
In order to exploit this issue, an attaccker must be logged into the application as a
non-privileged user.
The following proof-of-concept demostrates this issue by listing users credentials:

http://symphony-cms.local/symphony/ajax/query/?field_id=1&query=%27%20union%20select%20username,password,1,2%20from%20sym_authors%20--%20a&types=entry&limit=3000


- Unrestricted file upload

Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote
code execution in the context of the web server.
It is possible for a non-privileged user to upload a .php file into the webroot and
execute arbitrary php code.
In order to exploit this issue, an attaccker must be logged into the application as
a non-privileged user and it must exist at least one "section" with a file upload filed.
To reproduce the issue, follow the steps below:

1. As an admin create a Section with a File Upload field
2. Log as an author and create new entry with the newly created section
3. Upload a .php file (ie tmp.php) and load it with the browser



Solution

Upgrade to Symphony CMS version 2.6.6


Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ