Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Blind SQL injections in CivicRM

From: "Simon Waters \(Surevine\)" <simon.waters () surevine com>
Date: Mon, 11 Apr 2016 08:59:13 +0100
CivicRM extends common CMS platforms (WordPress, Drupal) with a module to manage Civic campaigns, tracking donors, 
amounts, and campaign CRM type activity.

I tested the WordPress integration of CivicRM 4.7b3 which was found to have blind SQL Injections that allow 
authenticated users to download arbitrary database content.


The first was in the columns[0][data] parameter when querying a contact relationship in the AJAX query.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/ajax/contactrelationships&context=current&cid=3&draw=1&columns[0][data]=relation%2c%28select*from%28select%28sleep%2820%29%29%29a%29&;..

The actual code path in the PHP was rather convoluted.


The second was in the subType parameter when performing.

http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcustom&type=Campaign&subType=3%25%27OR+1%3D1+OR+civicrm_custom_group.extends_entity_column_value%3D%27&entityID=1&cgcount=1&snippet=json

The ease of detection and exploitation of this later issue varies depending whether custom fields exist.


These issues were notified to CivicRM project on 2015-12-21

A reminder was sent 2016-02-05

No recent correspondence has been received on the matter. 

CivicRM have recently performed a security release, there is no indication in the release notes or bug tracking tool as 
to whether these issues have been addressed or not.



Both injections allow authenticated users to download arbitrary database content (typically this is the same database 
as the CMS), this may include low privileged WordPress users such as “author”.

Users of CivicRM may want to ensure only trusted users are permitted access to the relevant CMS as role based 
restrictions will not correctly control access to sensitive data, or deploy WAF like measures (mod-security etc) to 
further mitigate any risk.


The issues were identified using Burp-Suite Pro. 

The first of these issues can be automatically exploited by SQLmap, so the skill needed to perform the exploit is 
minimal.
Previous By Date Next
Previous By Thread Next

Current thread: