Post Thu Apr 04, 2013 4:23 pm

HTB23148: SQL Injection Vulnerability in Symphony

Advisory ID: HTB23148
Product: Symphony
Vulnerable Versions: 2.3.1 and probably prior
Tested Version: 2.3.1
Vendor Notification: March 13, 2013
Vendor Fix: March 24, 2013
Public Disclosure: April 3, 2013
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2559
Risk Level: Medium
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab

Advisory Details:
High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

1) SQL Injection in Symphony: CVE-2013-2559
The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt" file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:
http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27% 20--%20

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:
<img src="http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.tx t%27%20--%20">

Upgrade to Symphony 2.3.2

More Information: ... 67ce50f468

[1] High-Tech Bridge Advisory HTB23148 - - SQL Injection Vulnerability in Symphony.
[2] Symphony - - XSLT-powered open source content management system.
[3] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.
Last edited by AndyP on Thu Apr 04, 2013 4:25 pm, edited 1 time in total.