Reporter Filippo Cavallarin
`Advisory ID: SGMA-16002
Title: Symphony CMS multiple vulnerabilities
Product: Symphony CMS
Version: 2.6.5 and probably prior
Vulnerability type: SQL-injection, Unrestriced File Upload
Risk level: 4 / 5
Vendor notification: 2016-02-02
Vendor fix: 2016-02-05
Public disclosure: 2016-02-08
Symphony CMS suffers from multiple vulnerabilities:
- SQL Injection
The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request
parameter "query" is used to build a sql query without beeing properly sanitized.
In order to exploit this issue, an attaccker must be logged into the application as a
The following proof-of-concept demostrates this issue by listing users credentials:
- Unrestricted file upload
Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote
code execution in the context of the web server.
It is possible for a non-privileged user to upload a .php file into the webroot and
execute arbitrary php code.
In order to exploit this issue, an attaccker must be logged into the application as
a non-privileged user and it must exist at least one "section" with a file upload filed.
To reproduce the issue, follow the steps below:
1. As an admin create a Section with a File Upload field
2. Log as an author and create new entry with the newly created section
3. Upload a .php file (ie tmp.php) and load it with the browser
Upgrade to Symphony CMS version 2.6.6