SQL Injection Vulnerability in Symphony

ID HTB23148
Type htbridge
Reporter High-Tech Bridge
Modified 2013-03-26T00:00:00


High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

1) SQL Injection in Symphony: CVE-2013-2559
The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.
Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt" file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:
http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20 %27/var/www/file.txt%27%20--%20

This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:
<img src="http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFI LE%20%27/var/www/file.txt%27%20--%20">