Home / os / winmobile

dotCMS 3.x SQL Injection

Posted on 02 November 2016

Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Credit: Elar Lang / https://security.elarlang.eu Vendor/Product: dotCMS (http://dotcms.com/) Vulnerability: SQL injection Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 # Multiple SQL injections in dotCMS framework. ## CVE-2016-8902 - categoriesServlet, sort SQL injection vulnerability in the categoriesServlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: None. No authentication needed. Proof-of-Concept URL, vulnerable parameter is "sort": /categoriesServlet?start=0&count=10&sort=SQLi ## CVE-2016-8903 - "Templates pages", _EXT_13_orderby SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_13_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi ## CVE-2016-8904 - "Containers pages", _EXT_12_orderby SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_12_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi ## CVE-2016-8905 - JSONTags servlet, sort SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: attacker must be authenticated. Proof-of-Concept /JSONTags?start=0&count=10&sort=tagname SQLi ## CVE-2016-8906 - "Links pages", _EXT_18_orderby SQL injection vulnerability in the "Site Browser > Links page" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_18_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi ## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction parameters. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content Types", click on some column title in the resultset table) /c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi ## CVE-2016-8908 - "HTML pages", _EXT_15_orderby SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1 ## CVE-2016-4040 - "Workflow", _EXT_15_orderby SQL injection vulnerability in the "Workflow Screen" in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks", click on some column title in the resultset table) /html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1 # Vulnerability Disclosure Timeline 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities 2015-12-14 | dotCMS > me | they were planning fixes in upcoming release, estimated to beginning of 2016 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040 still not fixed) 2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities? 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which is estimated to be out in mid-April 2016-04-19 | dotCMS | dotCMS version 3.5 release 2016-05-10 | dotCMS | dotCMS version 3.3.2 release 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu # Related fixes and releases https://dotcms.com/docs/latest/change-log#release-3.3.1 https://dotcms.com/docs/latest/change-log#release-3.5 https://dotcms.com/docs/latest/change-log#release-3.3.2 -- Elar Lang Blog @ https://security.elarlang.eu Pentester, lecturer @ http://www.clarifiedsecurity.com

 

TOP