concrete5 sql injection advisory
TRANSCRIPT
![Page 1: Concrete5 SQL Injection Advisory](https://reader035.vdocuments.site/reader035/viewer/2022071903/55c49980bb61ebc34f8b4817/html5/thumbnails/1.jpg)
Edition: 1.0
Last Edit: 24/06/2015
Cassification: Not restricted
SQL Injection Vulnerability
in Concrete5 version 5.7.3.1
Author: Egidio Romano
![Page 2: Concrete5 SQL Injection Advisory](https://reader035.vdocuments.site/reader035/viewer/2022071903/55c49980bb61ebc34f8b4817/html5/thumbnails/2.jpg)
SQL Injection in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 1/3
Summary
Vulnerability Class SQL Injection
CVE ID CVE-2015-4724
Remote Yes
Local No
Published June 11, 2015
Updated June 24, 2015
Credit Egidio Romano
Vulnerable Version 5.7.3.1 and probably prior versions
Fixed On 5.7.4.1
Other References https://hackerone.com/reports/59664
http://blog.mindedsecurity.com/2015/06/multiple-security-issues-discovered-in-concrete5-part1.html
Description
Concrete5 is vulnerable to a SQL Injection attack because certain user input is being used to construct a SQL query without proper validation. This vulnerability can be exploited only by authenticated users with privileges to edit page permissions.
Vulnerability Details
The vulnerable code is located within the Access::buildAssignmentFilterString() method, which uses its $accessType parameter to construct a SQL query without a proper validation:
File: /concrete/src/Permission/Access/Access.php (lines 168-183):
protected function buildAssignmentFilterString($accessType, $filterEntities)
{
$peIDs = '';
$filters = array();
if (count($filterEntities) > 0) {
foreach ($filterEntities as $ent) {
![Page 3: Concrete5 SQL Injection Advisory](https://reader035.vdocuments.site/reader035/viewer/2022071903/55c49980bb61ebc34f8b4817/html5/thumbnails/3.jpg)
SQL Injection in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 2/3
$filters[] = $ent->getAccessEntityID();
}
$peIDs .= 'and peID in (' . implode($filters, ',') . ')';
}
if ($accessType == 0) {
$accessType = '';
} else {
$accessType = ' and accessType = ' . $accessType;
}
return $peIDs . ' ' . $accessType . ' order by accessType desc'; // we order desc
so that excludes come last (-1)
}
This method is being called by the Access::getAccessListItems(), and this one is called by the following script passing input coming from the “listItem” request parameter as the $accessType parameter to that method:
File: /concrete/tools/permissions/categories/page.php (lines 192-212):
if ($_REQUEST['task'] == 'bulk_remove_access' && Loader::helper('validation/token')-
>validate('bulk_remove_access')) {
$pkID = $_REQUEST['pkID'];
$pk = PermissionKey::getByID($pkID);
$u = new User();
$deferred = false;
foreach($pages as $c) {
$pk->setPermissionObject($c);
$pa = $pk->getPermissionAccessObject();
$matches = array();
if (is_object($pa)) {
foreach($_REQUEST['listItem'] as $li) {
$lii = explode(':', $li);
$peID = $lii[0];
$accessType = $lii[1];
$pdID = $lii[2];
$listItems = $pa->getAccessListItems($accessType);
![Page 4: Concrete5 SQL Injection Advisory](https://reader035.vdocuments.site/reader035/viewer/2022071903/55c49980bb61ebc34f8b4817/html5/thumbnails/4.jpg)
SQL Injection in Concrete5 version 5.7.3.1
Edition: v1.0 Date: 24/06/2015 Not restricted Page 3/3
When the “task” request parameter is set to “bulk_remove_access”, input coming from the “listItem” request parameter is passed directly to the Access::getAccessListItems() method without a proper validation. This can be exploited to inject and execute arbitrary SQL commands.
Exploitation Details
An attacker logged in with an account having privileges to edit page permissions can request the following URL in order to get a valid CSRF token useful to launch the attack later on:
http://[host]/index.php/tools/required/pages/permissions_access?cID=1&task=remove
The server will return a valid anti-CSRF token within the HTML code in the response:
…
<form id="ccm-permissions-bulk-access-form"
action="/index.php/tools/required/permissions/categories/page?ccm_token=1428936611:0eb5715
40e907ecb0bcea9ccda9550da&task=bulk_remove_access">
…
Once obtained, the attacker can use this token to launch a SQL injection attack by invoking a malicious URL like this:
http://[host]/index.php/tools/required/permissions/categories/page?ccm_token=1428936611:0e
b571540e907ecb0bcea9ccda9550da&task=bulk_remove_access&cID=1&pkID=1&listItem[]=test:1%20AN
D%20SQL_INJECTION
Which generates the following error: