lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 8 Apr 2016 18:17:15 +0100
From: "Simon Waters (Surevine)" <simon.waters@...evine.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
 "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] Blind SQL injections in CivicRM

CivicRM extends common CMS platforms (WordPress, Drupal) with a module to manage Civic campaigns, tracking donors, amounts, and campaign CRM type activity.

I tested the WordPress integration of CivicRM 4.7b3 which was found to have blind SQL Injections that allow authenticated users to download arbitrary database content.


The first was in the columns[0][data] parameter when querying a contact relationship in the AJAX query.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/ajax/contactrelationships&context=current&cid=3&draw=1&columns[0][data]=relation%2c%28select*from%28select%28sleep%2820%29%29%29a%29&..

The actual code path in the PHP was rather convoluted.


The second was in the subType parameter when performing.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcustom&type=Campaign&subType=3%25%27OR+1%3D1+OR+civicrm_custom_group.extends_entity_column_value%3D%27&entityID=1&cgcount=1&snippet=json <http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/custom&type=Campaign&subType=3%'OR+1=1+OR+civicrm_custom_group.extends_entity_column_value='&entityID=1&cgcount=1&snippet=json>

The ease of detection and exploitation of this later issue varies depending whether custom fields exist.


These issues were notified to CivicRM project on 2015-12-21

A reminder was sent 2016-02-05

No recent correspondence has been received on the matter. 

CivicRM have recently performed a security release, there is no indication in the release notes or bug tracking tool as to whether these issues have been addressed or not.



Both injections allow authenticated users to download arbitrary database content (typically this is the same database as the CMS), this may include low privileged WordPress users such as “author”.

Users of CivicRM may want to ensure only trusted users are permitted access to the relevant CMS as role based restrictions will not correctly control access to sensitive data, or deploy WAF like measures (mod-security etc) to further mitigate any risk.


The issues were identified using Burp-Suite Pro. 

The first of these issues can be automatically exploited by SQLmap, so the skill needed to perform the exploit is minimal.


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ