Symphony CMS 2.6.5 SQL Injection / File Upload

2016-02-09T00:00:00
ID PACKETSTORM:135674
Type packetstorm
Reporter Filippo Cavallarin
Modified 2016-02-09T00:00:00

Description

                                        
                                            `Advisory ID: SGMA-16002  
Title: Symphony CMS multiple vulnerabilities  
Product: Symphony CMS  
Version: 2.6.5 and probably prior  
Vendor: www.getsymphony.com  
Vulnerability type: SQL-injection, Unrestriced File Upload  
Risk level: 4 / 5  
Credit: filippo.cavallarin@wearesegment.com  
CVE: N/A  
Vendor notification: 2016-02-02  
Vendor fix: 2016-02-05  
Public disclosure: 2016-02-08  
  
  
Details  
  
Symphony CMS suffers from multiple vulnerabilities:  
  
- SQL Injection  
  
The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request  
parameter "query" is used to build a sql query without beeing properly sanitized.  
In order to exploit this issue, an attaccker must be logged into the application as a  
non-privileged user.  
The following proof-of-concept demostrates this issue by listing users credentials:  
  
http://symphony-cms.local/symphony/ajax/query/?field_id=1&query=%27%20union%20select%20username,password,1,2%20from%20sym_authors%20--%20a&types=entry&limit=3000  
  
  
- Unrestricted file upload  
  
Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote  
code execution in the context of the web server.  
It is possible for a non-privileged user to upload a .php file into the webroot and  
execute arbitrary php code.  
In order to exploit this issue, an attaccker must be logged into the application as  
a non-privileged user and it must exist at least one "section" with a file upload filed.  
To reproduce the issue, follow the steps below:  
  
1. As an admin create a Section with a File Upload field  
2. Log as an author and create new entry with the newly created section  
3. Upload a .php file (ie tmp.php) and load it with the browser  
  
  
  
Solution  
  
Upgrade to Symphony CMS version 2.6.6  
  
`