lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <6EC8131D-5A53-4DC6-BAAD-0AB938FADEE7@gmail.com>
Date: Tue, 1 Nov 2016 10:05:49 -0500
From: Brandon Perry <bperry.volatile@...il.com>
To: Elar Lang <elarlang@...il.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Multiple SQL injection vulnerabilities in dotCMS (8x CVE)


> On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang@...il.com> wrote:
> 
> Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
> Credit: Elar Lang / https://security.elarlang.eu
> Vendor/Product: dotCMS (http://dotcms.com/)
> Vulnerability: SQL injection
> Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE)
> CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905,
> CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040
> 
> 
> # Multiple SQL injections in dotCMS framework.
> 
> 
> ## CVE-2016-8902 - categoriesServlet, sort
> 

I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I perform this request.

GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1
Host: 10.211.55.37:8080
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F
Accept-Encoding: gzip, deflate
Connection: keep-alive
Upgrade-Insecure-Requests: 1


In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a  simple 200.

HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/
SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/
Cache-Control: public, no-store, no-cache, max-age=0
Pragma: no-cache
Expires: Tue, 01 Nov 2016 14:55:34 GMT
Content-Type: text/plain;charset=utf-8
Content-Length: 0
Date: Tue, 01 Nov 2016 14:55:34 GMT


What versions exactly did you test against to reproduce this and what was the setup?

I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that.

Thanks!


> SQL injection vulnerability in the categoriesServlet in dotCMS before
> 3.3.1 allows remote not authenticated attackers to execute arbitrary
> SQL commands via the sort parameter.
> 
> Preconditions: None. No authentication needed.
> 
> Proof-of-Concept URL, vulnerable parameter is "sort":
> /categoriesServlet?start=0&count=10&sort=SQLi
> 
> 
> ## CVE-2016-8903 - "Templates pages", _EXT_13_orderby
> 
> SQL injection vulnerability in the "Site Browser > Templates pages"
> screen in dotCMS before 3.3.1 allows remote authenticated attackers to
> execute arbitrary SQL commands via the _EXT_13_orderby parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates
> pages", click on some column title in the resultset table):
> /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi
> 
> 
> ## CVE-2016-8904 - "Containers pages", _EXT_12_orderby
> 
> SQL injection vulnerability in the "Site Browser > Containers pages"
> screen in dotCMS before 3.3.1 allows remote authenticated attackers to
> execute arbitrary SQL commands via the _EXT_12_orderby parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers
> pages", click on some column title in the resultset table):
> /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi
> 
> 
> ## CVE-2016-8905 - JSONTags servlet, sort
> 
> SQL injection vulnerability in the JSONTags servlet in dotCMS before
> 3.3.1 allows remote authenticated attackers to execute arbitrary SQL
> commands via the sort parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept
> /JSONTags?start=0&count=10&sort=tagname SQLi
> 
> 
> ## CVE-2016-8906 - "Links pages", _EXT_18_orderby
> 
> SQL injection vulnerability in the "Site Browser > Links page" screen
> in dotCMS before 3.3.1 allows remote authenticated attackers to
> execute arbitrary SQL commands via the _EXT_18_orderby parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links
> pages", click on some column title in the resultset table):
> /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi
> 
> 
> ## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and
> _EXT_STRUCTURE_direction
> 
> SQL injection vulnerability in the "Content Types > Content Types"
> screen in dotCMS before 3.3.1 allows remote authenticated attackers to
> execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and
> _EXT_STRUCTURE_direction parameters.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content
> Types", click on some column title in the resultset table)
> /c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi
> 
> 
> ## CVE-2016-8908 - "HTML pages", _EXT_15_orderby
> 
> SQL injection vulnerability in the "Site Browser > HTML pages" screen
> in dotCMS before 3.3.1 allows remote authenticated attackers to
> execute arbitrary SQL commands via the _EXT_15_orderby parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML
> pages", click on some column title in the resultset table):
> /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1
> 
> 
> ## CVE-2016-4040 - "Workflow", _EXT_15_orderby
> 
> SQL injection vulnerability in the "Workflow Screen" in dotCMS before
> 3.3.2 allows remote administrators to execute arbitrary SQL commands
> via the _EXT_15_orderby parameter.
> 
> Preconditions: attacker must be authenticated.
> 
> Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks",
> click on some column title in the resultset table)
> /html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1
> 
> 
> # Vulnerability Disclosure Timeline
> 
> 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities
> 2015-12-14 | dotCMS > me | they were planning fixes in upcoming
> release, estimated to beginning of 2016
> 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040
> still not fixed)
> 2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities?
> 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which
> is estimated to be out in mid-April
> 2016-04-19 | dotCMS | dotCMS version 3.5 release
> 2016-05-10 | dotCMS | dotCMS version 3.3.2 release
> 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu
> 
> 
> # Related fixes and releases
> https://dotcms.com/docs/latest/change-log#release-3.3.1
> https://dotcms.com/docs/latest/change-log#release-3.5
> https://dotcms.com/docs/latest/change-log#release-3.3.2
> 
> --
> Elar Lang
> Blog @ https://security.elarlang.eu
> Pentester, lecturer @ http://www.clarifiedsecurity.com
> 
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/


Download attachment "signature.asc" of type "application/pgp-signature" (843 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ