exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

dotCMS SQL Injection

dotCMS SQL Injection
Posted Feb 13, 2018
Authored by Elar Lang

dotCMS versions prior to 4.1.1 suffer from remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
advisories | CVE-2016-10007, CVE-2016-10008
SHA-256 | 2ef6211acd43254ff086ea4b5c0fc2e1e58d4c393813f4848d7027c88d8aaacd

dotCMS SQL Injection

Change Mirror Download
Title: Multiple SQL injection vulnerabilities in dotCMS (2x CVE)
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: dotCMS (http://dotcms.com/)
Vulnerability: SQL injection
Vulnerable version: before 4.1.1. Theoretically would be fixed in
3.7.2 (not released yet)
CVE: CVE-2016-10007, CVE-2016-10008


# Multiple SQL injections in dotCMS framework.

I had already reported 8 SQL injection vulnerabilities to dotCMS and I
was curious as to how they fixed it.
With checking fixes I found 2 new vulnerabilites but for those I had
to bypass blacklist defence.


## CVE-2016-10007 - "Marketing" > Forms" page,
_EXT_FORM_HANDLER_orderBy parameter

An SQL injection vulnerability in the "Marketing > Forms" screen in
dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_FORM_HANDLER_orderBy parameter.

Preconditions: the attacker must be authenticated and authorized as an
administrator.

Proof-of-Concept URL (from "Admin Site" UI: "Marketing > Forms", click
on some column title in the resultset table):
/c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc

Proof-of-Concept values for parameter _EXT_FORM_HANDLER_orderBy.
Precondition for this example: there must be at least 2 different rows
in the resultset and ordering by name and description field should
give different ordering (if they don't, use some other field names)

-- boolean true - output is ordered by name field
_EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end

-- boolean false - output is ordered by descriotion field
_EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end



## CVE-2016-10008 - "Content Types > Content Types" page,
_EXT_STRUCTURE_direction parameter

An SQL injection vulnerability in the "Content Types > Content Types"
screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_STRUCTURE_direction parameter parameter.

Preconditions: the attacker must be authenticated and authorized as an
administrator.

Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content
Types", click on some column title in the resultset table):
demo.dotcms.com/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=velocity_var_name&_EXT_STRUCTURE_direction=SQLi


# Vulnerability Disclosure Timeline

2016-10-24 | me > dotCMS | SQLi Poc
2016-10-25 | dotCMS > me | Thanks for PoC

2016-12-19 | me > dotCMS | Informed CVE numbers, asked status for
reported issues.
2016-12-19 | dotCMS > me | Low priority, not planning fixing in next release
2016-12-19 | me > dotCMS | agreed with low priority (requires
authenticated user in administrator privileges)

2017-03-03 | me > dotCMS | I can see many new releases, is it fixed? [2]
2017-03-06 | dotCMS > me | No. Probably will be not addressed until
the project to refactor our admin interface is completed.

2017-06-16 | dotCMS | dotCMS version 4.1.1 release

2017-07-18 | me > dotCMS | As I need to publich CVEs at some point,
what is the status?
2017-07-21 | dotCMS > me | Fixes are available on 4.1.1. Would it be
possible to wait 3 to 4 weeks so we can release 3.7.2?

2017-10-10 | me > dotCMS | "3 to 4 weeks" passed, how it is going with 3.7.2?
2017-10-17 | dotCMS > me | "Thank you for your patience! Thank you for
your email! It prompted me to push the developer to finish getting
this release out the door. I will email you next week with an update."

This "next week" never arrived ;)

2018-02-11 | me | Full Disclosure on http://security.elarlang.eu


# Related fixes and releases
https://dotcms.com/docs/latest/change-log#release-4.1.1

# More detailed (inc some code review and blacklist bypass)
description is available in blog:
https://security.elarlang.eu/cve-2016-10007-and-cve-2016-10008-2-sql-injection-vulnerabilities-in-dotcms-blacklist-defence-bypass.html

--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close