----------------------------------------------------------- Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability ----------------------------------------------------------- [-] Software Link: https://www.concrete5.org/ [-] Affected Versions: Version 5.7.3.1, 5.7.4, and probably other versions. [-] Vulnerability Description: The vulnerable code is located in /concrete/src/Permission/Access/Access.php: 168. protected function buildAssignmentFilterString($accessType, $filterEntities) 169. { 170. $peIDs = ''; 171. $filters = array(); 172. if (count($filterEntities) > 0) { 173. foreach ($filterEntities as $ent) { 174. $filters[] = $ent->getAccessEntityID(); 175. } 176. $peIDs .= 'and peID in (' . implode($filters, ',') . ')'; 177. } 178. if ($accessType == 0) { 179. $accessType = ''; 180. } else { 181. $accessType = ' and accessType = ' . $accessType; 182. } The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands. Successful exploitation of this vulnerability requires an account with privileges to edit page permissions. [-] Solution: Update to version 5.7.4.1 or later. [-] Disclosure Timeline: [05/05/2015] - Vulnerability details sent through HackerOne [12/05/2015] - Vendor said a patch has been committed and will be available in the next version [12/05/2015] - Version 5.7.4.1 released along with the patch for this vulnerability [11/06/2015] - Vulnerability publicly disclosed on HackerOne [11/06/2014] - CVE number requested [11/06/2014] - Publication of this advisory [-] CVE Reference: The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet. [-] Credits: Vulnerability discovered by Egidio Romano of Minded Security. [-] Original Advisory: http://karmainsecurity.com/KIS-2015-03 [-] Other References: https://hackerone.com/reports/59664