Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

CivicRM 4.7b3 SQL Injection

🗓️ 10 Apr 2016 00:00:00Reported by Simon WatersType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 27 Views

CivicRM 4.7b3 SQL Injection in WordPress integration allowing authenticated users to download arbitrary database conten

Code
`CivicRM extends common CMS platforms (WordPress, Drupal) with a module to manage Civic campaigns, tracking donors, amounts, and campaign CRM type activity.  
  
I tested the WordPress integration of CivicRM 4.7b3 which was found to have blind SQL Injections that allow authenticated users to download arbitrary database content.  
  
  
The first was in the columns[0][data] parameter when querying a contact relationship in the AJAX query.  
  
http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/ajax/contactrelationships&context=current&cid=3&draw=1&columns[0][data]=relation%2c%28select*from%28select%28sleep%2820%29%29%29a%29&..  
  
The actual code path in the PHP was rather convoluted.  
  
  
The second was in the subType parameter when performing.  
  
http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm%2Fcustom&type=Campaign&subType=3%25%27OR+1%3D1+OR+civicrm_custom_group.extends_entity_column_value%3D%27&entityID=1&cgcount=1&snippet=json <http://192.168.56.101/wp-admin/admin.php?page=CiviCRM&q=civicrm/custom&type=Campaign&subType=3%'OR+1=1+OR+civicrm_custom_group.extends_entity_column_value='&entityID=1&cgcount=1&snippet=json>  
  
The ease of detection and exploitation of this later issue varies depending whether custom fields exist.  
  
  
These issues were notified to CivicRM project on 2015-12-21  
  
A reminder was sent 2016-02-05  
  
No recent correspondence has been received on the matter.   
  
CivicRM have recently performed a security release, there is no indication in the release notes or bug tracking tool as to whether these issues have been addressed or not.  
  
  
  
Both injections allow authenticated users to download arbitrary database content (typically this is the same database as the CMS), this may include low privileged WordPress users such as “author”.  
  
Users of CivicRM may want to ensure only trusted users are permitted access to the relevant CMS as role based restrictions will not correctly control access to sensitive data, or deploy WAF like measures (mod-security etc) to further mitigate any risk.  
  
  
The issues were identified using Burp-Suite Pro.   
  
The first of these issues can be automatically exploited by SQLmap, so the skill needed to perform the exploit is minimal.  
  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Apr 2016 00:00Current
0.5Low risk
Vulners AI Score0.5
civicrmsql injectionwordpress integrationauthenticated usersarbitrary database contentsecurity releasecmsrole based restrictionswafburp-suite prosqlmap
27