Symphony Multiple SQL Injection and Cross Site Scripting Vulnerabilities

Summary

Symphony is a web-based content management system (CMS) that enables users to create and manage websites and web applications of all shapes and sizes from the simplest of blogs to bustling news sites and feature-packed social networks.

Credit:

The information has been provided by Mesut Timur.
The original article can be found at: http://www.mavitunasecurity.com/xss-and-sql-injection-vulnerabilities-in-symphony-cms/


Details

Vulnerable Systems:
 * Symphony CMS 2.2.3 and possibly below

Symphony CMS is vulnerable to cross-site scripting, caused by improper validation of user-supplied input. A remote attacker could exploit this vulnerability using the profile and filter parameters in a specially-crafted URL to execute script in a victim’s Web browser within the security context of the hosting Web site, once the URL is clicked. An attacker could use this vulnerability to steal the victim’s cookie-based authentication credentials.

1) Input passed via the ‘profile’ parameter to the URL is not properly sanitised in extensions/profiledevkit/content/content.profile.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

2) Input passed via the ‘filter’ parameter to symphony/publish/images is not properly sanitised in symphony/lib/core/class.symphony.php before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user’s browser session in context of an affected site.

3) Input passed via the ‘filter’ parameter to symphony/publish/comments is not properly sanitised in symphony/content/content.publish.php before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Note: This vulnerability can further be exploited to conduct cross-site scripting attacks via SQL error messages.
Successful exploitation of this vulnerability requires ‘Author’ privileges.

Example PoC urls are as follows :

http://example.com/symphony/publish/comments/?filter=’+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+’
http://example.com/symphony/publish/images/?filter=’+(SELECT+1+FROM+(SELECT+SLEEP(25))A)+’
http://example.com/?profile=”–></style></script><script>alert(1)</script>
http://example.com/symphony/publish/comments/?filter=”–></style></script><script>alert(1)</script>
http://example.com/symphony/publish/images/?filter=”–></style></script><script>alert(1)</script>
http://example.com/about/?profile=”–></style></script><script>alert(1)</script>
http://example.com/drafts/?profile=”–></style></script><script>alert(1)</script>

Patch Availability:
http://getsymphony.com/download/releases/version/2.2.4/

CVE Information:
CVE-2011-4340

Disclosure Timeline:
Release Date: 03 Nov 2011
Last Change:20 Feb 2012

Categories: News