Lucene search

zdtHigh-Tech Bridge1337DAY-ID-20604
HistoryApr 04, 2013 - 12:00 a.m.

Symphony 2.3.1 SQL Injection Vulnerability

High-Tech Bridge





Symphony version 2.3.1 suffers from a remote SQL injection vulnerability.

Product: Symphony
Vulnerable Version(s): 2.3.1 and probably prior
Tested Version: 2.3.1
Vendor Notification: March 13, 2013 
Vendor Patch: March 24, 2013 
Public Disclosure: April 3, 2013 
Vulnerability Type: SQL Injection [CWE-89]
CVE Reference: CVE-2013-2559
Risk Level: Medium 
CVSSv2 Base Score: 5.1 (AV:N/AC:H/Au:N/C:P/I:P/A:P)
Solution Status: Fixed by Vendor
Discovered and Provided: High-Tech Bridge Security Research Lab ( ) 


Advisory Details:

High-Tech Bridge Security Research Lab discovered SQL injection vulnerability in Symphony, which can be exploited to alter SQL requests to database of the vulnerable application.

1) SQL Injection in Symphony: CVE-2013-2559

The vulnerability exists due to insufficient filtration of "sort" HTTP GET parameter passed via "/symphony/system/authors/" URL to "/index.php" script. A remote authenticated administrator can execute arbitrary SQL commands in the application's database.

Depending on database and system configuration, this PoC (Proof of Concept) code will create "/var/www/file.txt"  file, containing users account information (logins, hashed passwords, etc.) from the "authors" table:


This vulnerability could also be exploited by a remote non-authenticated attacker via CSRF vector, since the application is prone to Cross-Site Request Forgery (CSRF) attacks. In order to do so an attacker should trick the logged-in administrator to visit a web page with CSRF exploit:

<img src="http://[host]/symphony/system/authors/?order=asc&sort=id%20INTO%20OUTFILE%20%27/var/www/file.txt%27%20--%20">



Upgrade to Symphony 2.3.2

More Information:



[1] High-Tech Bridge Advisory HTB23148 - - SQL Injection Vulnerability in Symphony.
[2] Symphony - - XSLT-powered open source content management system.
[3] Common Vulnerabilities and Exposures (CVE) - - international in scope and free for public use, CVE® is a dictionary of publicly known information security vulnerabilities and exposures.
[4] Common Weakness Enumeration (CWE) - - targeted to developers and security practitioners, CWE is a formal list of software weakness types.

# [2018-01-08]  #