Title: Multiple SQL injection vulnerabilities in dotCMS (2x CVE) Credit: Elar Lang / https://security.elarlang.eu Vendor/Product: dotCMS (http://dotcms.com/) Vulnerability: SQL injection Vulnerable version: before 4.1.1. Theoretically would be fixed in 3.7.2 (not released yet) CVE: CVE-2016-10007, CVE-2016-10008 # Multiple SQL injections in dotCMS framework. I had already reported 8 SQL injection vulnerabilities to dotCMS and I was curious as to how they fixed it. With checking fixes I found 2 new vulnerabilites but for those I had to bypass blacklist defence. ## CVE-2016-10007 - "Marketing" > Forms" page, _EXT_FORM_HANDLER_orderBy parameter An SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter. Preconditions: the attacker must be authenticated and authorized as an administrator. Proof-of-Concept URL (from "Admin Site" UI: "Marketing > Forms", click on some column title in the resultset table): /c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc Proof-of-Concept values for parameter _EXT_FORM_HANDLER_orderBy. Precondition for this example: there must be at least 2 different rows in the resultset and ordering by name and description field should give different ordering (if they don't, use some other field names) -- boolean true - output is ordered by name field _EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end -- boolean false - output is ordered by descriotion field _EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end ## CVE-2016-10008 - "Content Types > Content Types" page, _EXT_STRUCTURE_direction parameter An SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter parameter. Preconditions: the attacker must be authenticated and authorized as an administrator. Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content Types", click on some column title in the resultset table): demo.dotcms.com/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=velocity_var_name&_EXT_STRUCTURE_direction=SQLi # Vulnerability Disclosure Timeline 2016-10-24 | me > dotCMS | SQLi Poc 2016-10-25 | dotCMS > me | Thanks for PoC 2016-12-19 | me > dotCMS | Informed CVE numbers, asked status for reported issues. 2016-12-19 | dotCMS > me | Low priority, not planning fixing in next release 2016-12-19 | me > dotCMS | agreed with low priority (requires authenticated user in administrator privileges) 2017-03-03 | me > dotCMS | I can see many new releases, is it fixed? [2] 2017-03-06 | dotCMS > me | No. Probably will be not addressed until the project to refactor our admin interface is completed. 2017-06-16 | dotCMS | dotCMS version 4.1.1 release 2017-07-18 | me > dotCMS | As I need to publich CVEs at some point, what is the status? 2017-07-21 | dotCMS > me | Fixes are available on 4.1.1. Would it be possible to wait 3 to 4 weeks so we can release 3.7.2? 2017-10-10 | me > dotCMS | "3 to 4 weeks" passed, how it is going with 3.7.2? 2017-10-17 | dotCMS > me | "Thank you for your patience! Thank you for your email! It prompted me to push the developer to finish getting this release out the door. I will email you next week with an update." This "next week" never arrived ;) 2018-02-11 | me | Full Disclosure on http://security.elarlang.eu # Related fixes and releases https://dotcms.com/docs/latest/change-log#release-4.1.1 # More detailed (inc some code review and blacklist bypass) description is available in blog: https://security.elarlang.eu/cve-2016-10007-and-cve-2016-10008-2-sql-injection-vulnerabilities-in-dotcms-blacklist-defence-bypass.html -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com