Edition: 1.0

Last Edit: 24/06/2015

Cassification: Not restricted

SQL Injection Vulnerability

in Concrete5 version 5.7.3.1

Author: Egidio Romano

SQL Injection in Concrete5 version 5.7.3.1

Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/3

Summary

Vulnerability Class SQL Injection

CVE ID CVE-2015-4724

Remote Yes

Local No

Published June 11, 2015

Updated June 24, 2015

Credit Egidio Romano

Vulnerable Version 5.7.3.1 and probably prior versions

Fixed On 5.7.4.1

Other References https://hackerone.com/reports/59664

http://blog.mindedsecurity.com/2015/06/multiple-security-issues-discovered-in-concrete5-part1.html

Description

Concrete5 is vulnerable to a SQL Injection attack because certain user input is being used to construct a SQL query without proper validation. This vulnerability can be exploited only by authenticated users with privileges to edit page permissions.

Vulnerability Details

The vulnerable code is located within the Access::buildAssignmentFilterString() method, which uses its $accessType parameter to construct a SQL query without a proper validation:

File: /concrete/src/Permission/Access/Access.php (lines 168-183):

protected function buildAssignmentFilterString($accessType, $filterEntities)

{

$peIDs = '';

$filters = array();

if (count($filterEntities) > 0) {

foreach ($filterEntities as $ent) {

SQL Injection in Concrete5 version 5.7.3.1

Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/3

$filters[] = $ent->getAccessEntityID();

}

$peIDs .= 'and peID in (' . implode($filters, ',') . ')';

}

if ($accessType == 0) {

$accessType = '';

} else {

$accessType = ' and accessType = ' . $accessType;

}

return $peIDs . ' ' . $accessType . ' order by accessType desc'; // we order desc

so that excludes come last (-1)

}

This method is being called by the Access::getAccessListItems(), and this one is called by the following script passing input coming from the “listItem” request parameter as the $accessType parameter to that method:

File: /concrete/tools/permissions/categories/page.php (lines 192-212):

if ($_REQUEST['task'] == 'bulk_remove_access' && Loader::helper('validation/token')-

>validate('bulk_remove_access')) {

$pkID = $_REQUEST['pkID'];

$pk = PermissionKey::getByID($pkID);

$u = new User();

$deferred = false;

foreach($pages as $c) {

$pk->setPermissionObject($c);

$pa = $pk->getPermissionAccessObject();

$matches = array();

if (is_object($pa)) {

foreach($_REQUEST['listItem'] as $li) {

$lii = explode(':', $li);

$peID = $lii[0];

$accessType = $lii[1];

$pdID = $lii[2];

$listItems = $pa->getAccessListItems($accessType);

SQL Injection in Concrete5 version 5.7.3.1

Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/3

When the “task” request parameter is set to “bulk_remove_access”, input coming from the “listItem” request parameter is passed directly to the Access::getAccessListItems() method without a proper validation. This can be exploited to inject and execute arbitrary SQL commands.

Exploitation Details

An attacker logged in with an account having privileges to edit page permissions can request the following URL in order to get a valid CSRF token useful to launch the attack later on:

http://[host]/index.php/tools/required/pages/permissions_access?cID=1&task=remove

The server will return a valid anti-CSRF token within the HTML code in the response:

…

<form id="ccm-permissions-bulk-access-form"

action="/index.php/tools/required/permissions/categories/page?ccm_token=1428936611:0eb5715

40e907ecb0bcea9ccda9550da&task=bulk_remove_access">

…

Once obtained, the attacker can use this token to launch a SQL injection attack by invoking a malicious URL like this:

http://[host]/index.php/tools/required/permissions/categories/page?ccm_token=1428936611:0e

b571540e907ecb0bcea9ccda9550da&task=bulk_remove_access&cID=1&pkID=1&listItem[]=test:1%20AN

D%20SQL_INJECTION

Which generates the following error: