Concrete5 5.7.4 SQL Injection

2015-06-12T00:00:00
ID PACKETSTORM:132277
Type packetstorm
Reporter EgiX
Modified 2015-06-12T00:00:00

Description

                                        
                                            `-----------------------------------------------------------  
Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability  
-----------------------------------------------------------  
  
  
[-] Software Link:  
  
https://www.concrete5.org/  
  
  
[-] Affected Versions:  
  
Version 5.7.3.1, 5.7.4, and probably other versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerable code is located in /concrete/src/Permission/Access/Access.php:  
  
168. protected function buildAssignmentFilterString($accessType, $filterEntities)  
169. {  
170. $peIDs = '';  
171. $filters = array();  
172. if (count($filterEntities) > 0) {  
173. foreach ($filterEntities as $ent) {  
174. $filters[] = $ent->getAccessEntityID();  
175. }  
176. $peIDs .= 'and peID in (' . implode($filters, ',') . ')';  
177. }  
178. if ($accessType == 0) {  
179. $accessType = '';  
180. } else {  
181. $accessType = ' and accessType = ' . $accessType;  
182. }  
  
The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query  
without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands.  
Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.  
  
  
[-] Solution:  
  
Update to version 5.7.4.1 or later.  
  
  
[-] Disclosure Timeline:  
  
[05/05/2015] - Vulnerability details sent through HackerOne  
[12/05/2015] - Vendor said a patch has been committed and will be available in the next version  
[12/05/2015] - Version 5.7.4.1 released along with the patch for this vulnerability  
[11/06/2015] - Vulnerability publicly disclosed on HackerOne  
[11/06/2014] - CVE number requested  
[11/06/2014] - Publication of this advisory  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org) has not assigned a name to this vulnerability yet.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano of Minded Security.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2015-03  
  
  
[-] Other References:  
  
https://hackerone.com/reports/59664  
`