Symphony CMS 2.6.5 SQL Injection / File Upload
Posted on 10 February 2016
Advisory ID: SGMA-16002 Title: Symphony CMS multiple vulnerabilities Product: Symphony CMS Version: 2.6.5 and probably prior Vendor: www.getsymphony.com Vulnerability type: SQL-injection, Unrestriced File Upload Risk level: 4 / 5 Credit: filippo.cavallarin@wearesegment.com CVE: N/A Vendor notification: 2016-02-02 Vendor fix: 2016-02-05 Public disclosure: 2016-02-08 Details Symphony CMS suffers from multiple vulnerabilities: - SQL Injection The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request parameter "query" is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user. The following proof-of-concept demostrates this issue by listing users credentials: http://symphony-cms.local/symphony/ajax/query/?field_id=1&query=%27%20union%20select%20username,password,1,2%20from%20sym_authors%20--%20a&types=entry&limit=3000 - Unrestricted file upload Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote code execution in the context of the web server. It is possible for a non-privileged user to upload a .php file into the webroot and execute arbitrary php code. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user and it must exist at least one "section" with a file upload filed. To reproduce the issue, follow the steps below: 1. As an admin create a Section with a File Upload field 2. Log as an author and create new entry with the newly created section 3. Upload a .php file (ie tmp.php) and load it with the browser Solution Upgrade to Symphony CMS version 2.6.6