Symphony cms 2.3 multiple vulnerabilities -------------------------------------------------------------------------------------------- 20121017 - Justanotherhacker.com : Symphony cms - Multiple vulnerabilities JAHx122 - http://www.justanotherhacker.com/advisories/JAHx122.txt -------------------------------------------------------------------------------------------- Symphony is an XSLT-powered open source content management system. [ Taken from: http://getsymphony.com/ ] --- Vulnerability description --- Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in severity from low to high and can result in complete compromise by an unauthenticated attacker. Discovered by: Eldar "Wireghoul" Marcussen Type: Multiple Severity: High Release: Responsible Vendor: Symphony - http://getsymphony.com Affected versions: 2.3 (and possibly earlier) --- Local patch disclosure --- Direct requests to library files will disclose the full local file path if php is configured to display errors due to the reliance on the library path being declared in a constant of global scope outside of the library script. PoC: http://host/path/symphony/lib/boot/bundle.php --- User enumeration --- The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database. --- Authentication token brute force --- Symphony-cms allows a user to login without entering their username and password via a remote auth url that contains a token made up of the first 8 characters of a sha1 hash of the user's username and hashed password. If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length. The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user "admin" with password "admin". --- Cross site scripting --- Reflected: The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting. PoC: Submit form with email address: "> Reflected: The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting. PoC: username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on Persistent: The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting. PoC: settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E --- Blind sql injection --- The username field in the authors detail page is not sufficiently filtered when checking is the username already exists in the system. Resulting in blind sql injection. PoC: Edit an author's profile, update the username to include a malicious payload, ie: username' union select "" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php where the path to your outfile is based on the local path disclosure. --- SQL Injection --- The "page" number supplied when editing blueprints is vulnerable to sql injection. We can retrieve a users username, hashed password and auth token status with the following PoC: http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/ --- Unrestricted file upload --- While this appears to be intended functionality for authorised users, combined with the aforementioned vulnerabilities it becomes trivial to place a backdoor on the system. --- Solution --- Upgrade to version 2.3.1. --- Disclosure time line --- 17-Oct-2012 - Public disclosure 03-Oct-2012 - Issues patched in upcoming release 18-Sep-2012 - Patch checked into git 17-Sep-2012 - Vendor response 14-Sep-2012 - Vendor notified through email