symphony CMS 2.3 - Multiple Vulnerabilities

EDB-ID: 22039 CVE: N/A OSVDB-ID: 86402...
Verified: Author: Wireghoul Published: 2012-10-17
Download Exploit: Source Raw Download Vulnerable App:
Symphony cms 2.3 multiple vulnerabilities

20121017 - : Symphony cms - Multiple vulnerabilities
JAHx122 -

Symphony is an XSLT-powered open source content management system.
[ Taken from: ]

--- Vulnerability description ---
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in
severity from low to high and can result in complete compromise by an
unauthenticated attacker.

Discovered by: Eldar "Wireghoul" Marcussen
Type: Multiple
Severity: High
Release: Responsible
Vendor: Symphony -
Affected versions: 2.3 (and possibly earlier)

--- Local patch disclosure ---
Direct requests to library files will disclose the full local file path if php is configured
to display errors due to the reliance on the library path being declared in a constant 
of global scope outside of the library script.


--- User enumeration ---
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a 
helpful error message if the email address entered does not exist in the database.

--- Authentication token brute force ---
Symphony-cms allows a user to login without entering their username and password via
a remote auth url that contains a token made up of the first 8 characters of a sha1 hash
of the user's username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to 
their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ 
for the user "admin" with password "admin".

--- Cross site scripting ---
The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not 
sufficiently filtered for malicious characters resulting in reflected cross site scripting.

Submit form with email address:

The email input field supplied to http://host/path/symphony/login/ is not sufficiently 
filtered for malicious characters resulting in reflected cross site scripting.


The "From name" preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) 
is not sufficiently encoded resulting in persistent cross site scripting.


--- Blind sql injection ---
The username field in the authors detail page is not sufficiently filtered when checking
is the username already exists in the system. Resulting in blind sql injection.

Edit an author's profile, update the username to include a malicious payload, ie:
username' union select "<?php @system($_REQUEST['cmd']); ?>" FROM sym_authors INTO OUTFILE '/var/www/workspace/haxed.php
where the path to your outfile is based on the local path disclosure. 

--- SQL Injection ---
The "page" number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC:

--- Unrestricted file upload ---
While this appears to be intended functionality for authorised users, combined 
with the aforementioned vulnerabilities it becomes trivial to place a backdoor
on the system.

--- Solution ---
Upgrade to version 2.3.1.

--- Disclosure time line ---
17-Oct-2012 - Public disclosure
03-Oct-2012 - Issues patched in upcoming release
18-Sep-2012 - Patch checked into git
17-Sep-2012 - Vendor response
14-Sep-2012 - Vendor notified through email