BugTraq
Symphony CMS multiple vulnerabilities Feb 08 2016 08:55AM
Filippo Cavallarin (filippo cavallarin wearesegment com)
Advisory ID: SGMA-16002
Title: Symphony CMS multiple vulnerabilities
Product: Symphony CMS
Version: 2.6.5 and probably prior
Vendor: www.getsymphony.com
Vulnerability type: SQL-injection, Unrestriced File Upload
Risk level: 4 / 5
Credit: filippo.cavallarin (at) wearesegment (dot) com [email concealed]
CVE: N/A
Vendor notification: 2016-02-02
Vendor fix: 2016-02-05
Public disclosure: 2016-02-08

Details

Symphony CMS suffers from multiple vulnerabilities:

- SQL Injection

The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request
parameter "query" is used to build a sql query without beeing properly sanitized.
In order to exploit this issue, an attaccker must be logged into the application as a
non-privileged user.
The following proof-of-concept demostrates this issue by listing users credentials:

http://symphony-cms.local/symphony/ajax/query/?field_id=1&query=%27%20un
ion%20select%20username,password,1,2%20from%20sym_authors%20--%20a&types
=entry&limit=3000

- Unrestricted file upload

Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote
code execution in the context of the web server.
It is possible for a non-privileged user to upload a .php file into the webroot and
execute arbitrary php code.
In order to exploit this issue, an attaccker must be logged into the application as
a non-privileged user and it must exist at least one "section" with a file upload filed.
To reproduce the issue, follow the steps below:

1. As an admin create a Section with a File Upload field
2. Log as an author and create new entry with the newly created section
3. Upload a .php file (ie tmp.php) and load it with the browser

Solution

Upgrade to Symphony CMS version 2.6.6

-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - https://gpgtools.org

iQIcBAEBCgAGBQJWuFgKAAoJENKaW7brYyGoKpMP/06TV94wYXbMO+4vYp8+rNyz
h/DYSZX8/PsQ1c0miNM4Av/rRIOySe4eR0JaS4ao/nfRXA0CVpP6rAVGMjJ0Mnbr
JNcFkbdUOxlToI3sL9jcPitwZ5FVhGenjAtTaoMUBU2iDunj+ZqLoQg6uR++KtCF
OivAUF3ZKBsg6xAEB72uM81ZbqBfgI5esarNcZKOTP86oaCDbUAizvEpf66ftrDD
Ur0gtRZlnlrBwGQbXpjT/yWjctjZjnyKtjQ2roH7b4R9fzW3jD5UXmX1J3QDXx6S
hAAKB61rCz2tZmLUnYCrLmy55oQa/d9cpW+vD2Kvypae8AqnyT1Mt7PhuH2qdTSG
c+a+PAoHpqN3UHFAj2ZpmIZ5XGOGCdnQ7q/F28X0UVA9X7DzOeGuYqfrpVZRtA9x
3J1KGrer/FuXQoaVeFQLKGIWz+cP5+Zy8lQhD845mFvdrFMhFo7XnsQgZvS9ZBYE
Y+m/wS9iddj3YZ+PcsbGi/r5vaj0CFllWhG/pLcaAgp182hyetAWKTkMOD5Q9WiH
MjvV3JrgxBBsi5iDxsee800syQpuBcp07vI5bcD4UTt2AqG3d/hwQjvzQ6MdvZTK
bQp8wHl9HU9Hphr7zS83YP2Ft6sPs6dMFss8d5ydb3RAxiS87UYJEL2FtuW6APFj
gXCBmx1zZ5bupaoda5oT
=9E4q
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus