Concrete5 5.7.4 SQL Injection

Concrete5 5.7.4 SQL Injection: Posted Jun 12, 2015; Authored by EgiX; Concrete5 versions 5.7.4 and below suffer from a remote SQL injection vulnerability.; tags | exploit, remote, sql injection; SHA-256 | 09135e38d13882eebea77629d624025c3928967909de59178c537978dfc7e7ac; Download | Favorite | View

Concrete5 5.7.4 SQL Injection

-----------------------------------------------------------
Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
-----------------------------------------------------------


[-] Software Link:

https://www.concrete5.org/


[-] Affected Versions:

Version 5.7.3.1, 5.7.4, and probably other versions.


[-] Vulnerability Description:

The vulnerable code is located in /concrete/src/Permission/Access/Access.php:

168.  protected function buildAssignmentFilterString($accessType, $filterEntities)
169.  {
170.      $peIDs = '';
171.      $filters = array();
172.      if (count($filterEntities) > 0) {
173.          foreach ($filterEntities as $ent) {
174.              $filters[] = $ent->getAccessEntityID();
175.          }
176.          $peIDs .= 'and peID in (' . implode($filters, ',') . ')';
177.      }
178.      if ($accessType == 0) {
179.          $accessType = '';
180.      } else {
181.          $accessType = ' and accessType = ' . $accessType;
182.      }

The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query
without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands.
Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.


[-] Solution:

Update to version 5.7.4.1 or later.


[-] Disclosure Timeline:

[05/05/2015] - Vulnerability details sent through HackerOne
[12/05/2015] - Vendor said a patch has been committed and will be available in the next version
[12/05/2015] - Version 5.7.4.1 released along with the patch for this vulnerability
[11/06/2015] - Vulnerability publicly disclosed on HackerOne
[11/06/2014] - CVE number requested
[11/06/2014] - Publication of this advisory


[-] CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet.


[-] Credits:

Vulnerability discovered by Egidio Romano of Minded Security.


[-] Original Advisory:

http://karmainsecurity.com/KIS-2015-03


[-] Other References:

https://hackerone.com/reports/59664

Top Authors In Last 30 Days

Red Hat 259 files
Ubuntu 85 files
Gentoo 29 files
indoushka 26 files
Debian 11 files
Sina Kheirkhah 7 files
tmrswrr 7 files
Rodolfo Tavares 4 files
S. Dietz 2 files
Google Security Research 2 files

File Archives

Systems

AIX (429)
Apple (2,090)
BSD (377)
CentOS (58)
Cisco (1,927)
Debian (7,082)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,534)
HPUX (880)
iOS (376)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (50,527)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (489)
RedHat (16,402)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,689)
UNIX (9,431)
UnixWare (187)
Windows (6,667)
Other

Concrete5 5.7.4 SQL Injection

Concrete5 5.7.4 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Concrete5 5.7.4 SQL Injection

Share This

Concrete5 5.7.4 SQL Injection

File Archive:

July 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems