Full Disclosure mailing list archives
Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
From: Brandon Perry <bperry.volatile () gmail com>
Date: Tue, 1 Nov 2016 10:05:49 -0500
On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang () gmail com> wrote: Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Credit: Elar Lang / https://security.elarlang.eu Vendor/Product: dotCMS (http://dotcms.com/) Vulnerability: SQL injection Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 # Multiple SQL injections in dotCMS framework. ## CVE-2016-8902 - categoriesServlet, sort
I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I perform this request. GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1 Host: 10.211.55.37:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a simple 200. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/ SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/ Cache-Control: public, no-store, no-cache, max-age=0 Pragma: no-cache Expires: Tue, 01 Nov 2016 14:55:34 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 0 Date: Tue, 01 Nov 2016 14:55:34 GMT What versions exactly did you test against to reproduce this and what was the setup? I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that. Thanks!
SQL injection vulnerability in the categoriesServlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: None. No authentication needed. Proof-of-Concept URL, vulnerable parameter is "sort": /categoriesServlet?start=0&count=10&sort=SQLi ## CVE-2016-8903 - "Templates pages", _EXT_13_orderby SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_13_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi ## CVE-2016-8904 - "Containers pages", _EXT_12_orderby SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_12_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi ## CVE-2016-8905 - JSONTags servlet, sort SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: attacker must be authenticated. Proof-of-Concept /JSONTags?start=0&count=10&sort=tagname SQLi ## CVE-2016-8906 - "Links pages", _EXT_18_orderby SQL injection vulnerability in the "Site Browser > Links page" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_18_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi ## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction parameters. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content Types", click on some column title in the resultset table) /c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi ## CVE-2016-8908 - "HTML pages", _EXT_15_orderby SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1 ## CVE-2016-4040 - "Workflow", _EXT_15_orderby SQL injection vulnerability in the "Workflow Screen" in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks", click on some column title in the resultset table) /html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1 # Vulnerability Disclosure Timeline 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities 2015-12-14 | dotCMS > me | they were planning fixes in upcoming release, estimated to beginning of 2016 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040 still not fixed) 2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities? 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which is estimated to be out in mid-April 2016-04-19 | dotCMS | dotCMS version 3.5 release 2016-05-10 | dotCMS | dotCMS version 3.3.2 release 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu # Related fixes and releases https://dotcms.com/docs/latest/change-log#release-3.3.1 https://dotcms.com/docs/latest/change-log#release-3.5 https://dotcms.com/docs/latest/change-log#release-3.3.2 -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Elar Lang (Nov 01)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Brandon Perry (Nov 01)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Elar Lang (Nov 02)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Brandon Perry (Nov 01)