Post Thu Apr 04, 2013 4:23 pm

HTB23148: SQL Injection Vulnerability in Symphony

Advisory ID: HTB23148
Product: Symphony
Vendor: http://getsymphony.com/
Vulnerable Versions: 2.3.1 and probably prior
Tested Version: 2.3.1
Vendor Notification: March 13, 2013
Vendor Fix: March 24, 2013
Public Disclosure: April 3, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2559
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab


Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

1) SQL Injection in Symphony: CVE-2013-2559
The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt" file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:
  Code:
http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27% 20--%20


This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:
<img src="http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.tx t%27%20--%20">

Solution:
Upgrade to Symphony 2.3.2

More Information:
http://getsymphony.com/download/releases/version/2.3.2/
https://github.com/symphonycms/symphony ... 67ce50f468


References:
[1] High-Tech Bridge Advisory HTB23148 - https://www.htbridge.com/advisory/HTB23148 - SQL Injection Vulnerability in Symphony.
[2] Symphony - getsymphony.com - XSLT-powered open source content management system.
[3] Common Vulnerabilities and Exposures (CVE) - cve.mitre.org - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - cwe.mitre.org - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Last edited by AndyP on Thu Apr 04, 2013 4:25 pm, edited 1 time in total.