Full Disclosure mailing list archives
Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)
From: Elar Lang <elarlang () gmail com>
Date: Wed, 2 Nov 2016 09:52:41 +0200
On Tue, Nov 1, 2016 at 5:05 PM, Brandon Perry <bperry.volatile () gmail com> wrote:
On Oct 31, 2016, at 2:41 PM, Elar Lang <elarlang () gmail com> wrote: Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Credit: Elar Lang / https://security.elarlang.eu Vendor/Product: dotCMS (http://dotcms.com/) Vulnerability: SQL injection Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 # Multiple SQL injections in dotCMS framework. ## CVE-2016-8902 - categoriesServlet, sortI am having trouble reproducing this one on 3.3 and 3.2.4. As an unauthenticated user on a clean install of dotCMS, I perform this request. GET /categoriesServlet?start=0&count=10&sort=asc HTTP/1.1 Host: 10.211.55.37:8080 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:49.0) Gecko/20100101 Firefox/49.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-US,en;q=0.5 Cookie: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8; JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F Accept-Encoding: gzip, deflate Connection: keep-alive Upgrade-Insecure-Requests: 1 In you blog post, you note JSON is supposed to be returned, but that doesn’t happen. The response I get is a simple 200. HTTP/1.1 200 OK Server: Apache-Coyote/1.1 SET-COOKIE: dmid=47c0772e-83aa-4741-aec6-c9cefa7155c8;Path=/ SET-COOKIE: JSESSIONID=8EC35440A01B976EA9A6F02D6FB6886F;Path=/ Cache-Control: public, no-store, no-cache, max-age=0 Pragma: no-cache Expires: Tue, 01 Nov 2016 14:55:34 GMT Content-Type: text/plain;charset=utf-8 Content-Length: 0 Date: Tue, 01 Nov 2016 14:55:34 GMT What versions exactly did you test against to reproduce this and what was the setup? I am also curious why a UNION doesn’t work (mentioned in blog post) if you dug into that. Thanks!
Public response also: #1 I tested it during one pen-test case in December 2015. Exact version was 3.2.1. I haven't set up this environment myself. At the moment I used "Google Hacking" to find some dotCMS. Use search phrase inurl:/html/portal/login.jsp From login page you can see, what is the current version on this site, change path to /categoriesServlet and you probably can see the output like I described in my blog post. I saw described output from different versions, like 2.5.4, 3.2.1, 3.5, 3.6. From one site I also got an error - so, maybe there are some other pre-conditions which I don't know. If you can figure it out, share it with others also. #2 You can not use UNION after ORDER BY statement, this is the way how SQL works. And if you have vulnerability in order by or sort parameter, then your entrypoint is after ORDER BY statement Elar _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Elar Lang (Nov 01)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Brandon Perry (Nov 01)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Elar Lang (Nov 02)
- Re: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Brandon Perry (Nov 01)