Vulnerable Versions: 2.3.1 and probably prior
Tested Version: 2.3.1
Vendor Notification: March 13, 2013
Vendor Fix: March 24, 2013
Public Disclosure: April 3, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2559
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.
1) SQL Injection in Symphony: CVE-2013-2559
The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt" file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:
This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:
<img src="http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.tx t%27%20--%20">
Upgrade to Symphony 2.3.2
https://github.com/symphonycms/symphony ... 67ce50f468
 High-Tech Bridge Advisory HTB23148 - https://www.htbridge.com/advisory/HTB23148 - SQL Injection Vulnerability in Symphony.
 Symphony - getsymphony.com - XSLT-powered open source content management system.
 Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
 Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.