Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)

[Elar Lang <elarlang () gmail com>]

On Tue, Nov 1, 2016 at 5:05 PM, Brandon Perry <bperry.volatile () gmail com> wrote:
> > On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang () gmail com> wrote:
> >
> > Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
> > Credit: Elar Lang / https://security.elarlang.eu
> > Vendor/Product: dotCMS (http://dotcms.com/)
> > Vulnerability: SQL injection
> > Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE)
> > CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905,
> > CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040
> >
> >
> > # Multiple SQL injections in dotCMS framework.
> >
> >
> > ## CVE-2016-8902 - categoriesServlet, sort
>
> I am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I 
> perform this request.
>
> GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1
> Host: 10.211.55.37:8080
> User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0
> Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
> Accept-Language: en-US,en;q=0.5
> Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F
> Accept-Encoding: gzip, deflate
> Connection: keep-alive
> Upgrade-Insecure-Requests: 1
>
>
> In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a  simple 
> 200.
>
> HTTP/1.1 200 OK
> Server: Apache-Coyote/1.1
> SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/
> SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/
> Cache-Control: public, no-store, no-cache, max-age=0
> Pragma: no-cache
> Expires: Tue, 01 Nov 2016 14:55:34 GMT
> Content-Type: text/plain;charset=utf-8
> Content-Length: 0
> Date: Tue, 01 Nov 2016 14:55:34 GMT
>
>
> What versions exactly did you test against to reproduce this and what was the setup?
>
> I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that.
>
> Thanks!
Public response also:

#1 I tested it during one pen-test case in December 2015. Exact
version was 3.2.1. I haven't set up this environment myself.

At the moment I used "Google Hacking" to find some dotCMS.
Use search phrase inurl:/html/portal/login.jsp

From login page you can see, what is the current version on this site,
change path to /categoriesServlet and you probably can see the output
like I described in my blog post. I saw described output from
different versions, like 2.5.4, 3.2.1, 3.5, 3.6.

From one site I also got an error - so, maybe there are some other
pre-conditions which I don't know. If you can figure it out, share it
with others also.


#2 You can not use UNION after ORDER BY statement, this is the way how
SQL works. And if you have vulnerability in order by or sort
parameter, then your entrypoint is after ORDER BY statement


Elar

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/