Hi, I would like to report 6 SQL Injection vulnerabilities identified in the latest version of the CMS.
Vulnerability 1: block_order injection at blocks.php
vulnerable code: blocks.php
function run()
{
global $layout;
global $DB;
global $website;
$out = '';
$item = new block();
switch($_REQUEST['act'])
{
case 'load':
case 'edit':
case 2:
if(!empty($_REQUEST['id']))
{
$item->load(intval($_REQUEST['id']));
}
if(isset($_REQUEST['form-sent']))
{
$item->load_from_post();
try
{
naviforms::check_csrf_token();
$item->save();
property::save_properties_from_post('block', $item->id);
$id = $item->id;
// set block order
if(!empty($item->type) && !empty($_REQUEST['blocks-order']))
{
block::reorder($item->type, $_REQUEST['blocks-order'], $_REQUEST['blocks-order-fixed']); //step into
}
which triggers block.class.php
publicstaticfunction reorder($type, $order, $fixed)
{
global$DB;
global$website;
$item = explode("#", $order);//explore order by '#'
for($i=0; $i < count($item); $i++)
{
if(empty($item[$i]))
{
continue;
}
$block_is_fixed = ($fixed[$item[$i]]=='1'? '1' : '0');
$ok = $DB->execute(' UPDATE nv_blocks SET position = '.($i+1).', fixed = '.$block_is_fixed.' WHERE id = '.$item[$i].'// trigger here AND website = '.$website->id
Attacker can inject in block-order through http request. A sample request traffic:
This can be reflected in the backend database result. Didn't further justify the sql injection outcomes but clearly attacker can do arbitrary sql query.
Vulnerability 2: id at items.php
Vulnerable code item.php:
//package/lib/packages/items/items.php
function run()
{
global $layout;
global $DB;
global $website;
global $theme;
global $user;
$out = '';
$item = new item();
switch($_REQUEST['act'])
{
case "change_comment_status": // change comment status
if(empty($_REQUEST['id']))
{
echo "false";
core_terminate();
}
switch($_REQUEST['opt'])
{
case 'publish':
$DB->execute('
UPDATE nv_comments
SET status = 0
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'unpublish':
$DB->execute('
UPDATE nv_comments
SET status = 1
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'delete':
$DB->execute('
DELETE FROM nv_comments
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
}
//package/lib/packages/products/products.php
function run()
{
global $layout;
global $DB;
global $website;
global $theme;
global $user;
$out = '';
$item = new product();
switch($_REQUEST['act'])
{
**case 'products_order':**
if(!empty($_POST['products-order']))
{
if(naviforms::check_csrf_token('header'))
{
// save new order
$response = product::reorder($_POST['products-order']);
if($response!==true)
{
echo $response['error'];
}
else
{
echo 'true';
}
}
}
//package/lib/packages/products/products.php
case "change_comment_status":
if(empty($_REQUEST['id']))
{
echo "false";
core_terminate();
}
switch($_REQUEST['opt'])
{
case 'publish':
$DB->execute('
UPDATE nv_comments
SET status = 0
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'unpublish':
$DB->execute('
UPDATE nv_comments
SET status = 1
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'delete':
$DB->execute('
DELETE FROM nv_comments
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
}
Attacker can easily craft something like this to trigger the vulnerability
//package/lib/packages/structure/structure.class.phppublicstaticfunctionreorder($parent, $children)
{
global$DB;
global$website;
**$children = explode("#", $children);**
for($i=0; $i < count($children); $i++)
{
if(empty($children[$i]))
{
continue;
}
$ok = $DB->execute('UPDATE nv_structure SET position = '.($i+1).' **WHERE id = '.$children[$i].'** AND parent = '.intval($parent).' AND website = '.$website->id);
if(!$ok)
{
returnarray("error" => $DB->get_last_error());
}
}
returntrue;
}
Attacker can easily craft a traffic as below to cause the injection: http://localhost/navigate/navigate.php?fid=structure&act=reorder&parent=1&children=abc%20or%201=1
The text was updated successfully, but these errors were encountered:
Hi, I would like to report 6 SQL Injection vulnerabilities identified in the latest version of the CMS.
Vulnerability 1:
block_orderinjection atblocks.phpvulnerable code:
blocks.phpwhich triggers
block.class.phpAttacker can inject in
block-orderthrough http request. A sample request traffic:This can be reflected in the backend database result. Didn't further justify the sql injection outcomes but clearly attacker can do arbitrary sql query.

Vulnerability 2:
idatitems.phpVulnerable code
item.php:Attacker can use a traffic similar to:
Vulnerability 3:
products_orderatproducts.phpVulnerable code
Then it triggers
Vulnerability 4:
idinproducts.phpVulnerable code:
Attacker can easily craft something like this to trigger the vulnerability
Vulnerability 5:
property::reorderattemplates.phpvulnerable code:
Then step into
Vulnerability 6:
children_orderatstructure.phpVulnerable code:
Then steps into
Attacker can easily craft a traffic as below to cause the injection:
http://localhost/navigate/navigate.php?fid=structure&act=reorder&parent=1&children=abc%20or%201=1The text was updated successfully, but these errors were encountered: