You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi, I would like to report 6 SQL Injection vulnerabilities identified in the latest version of the CMS.
Vulnerability 1: block_order injection at blocks.php
vulnerable code: blocks.php
function run()
{
global $layout;
global $DB;
global $website;
$out = '';
$item = new block();
switch($_REQUEST['act'])
{
case 'load':
case 'edit':
case 2:
if(!empty($_REQUEST['id']))
{
$item->load(intval($_REQUEST['id']));
}
if(isset($_REQUEST['form-sent']))
{
$item->load_from_post();
try
{
naviforms::check_csrf_token();
$item->save();
property::save_properties_from_post('block', $item->id);
$id = $item->id;
// set block order
if(!empty($item->type) && !empty($_REQUEST['blocks-order']))
{
block::reorder($item->type, $_REQUEST['blocks-order'], $_REQUEST['blocks-order-fixed']); //step into
}
which triggers block.class.php
publicstaticfunction reorder($type, $order, $fixed)
{
global$DB;
global$website;
$item = explode("#", $order);//explore order by '#'
for($i=0; $i < count($item); $i++)
{
if(empty($item[$i]))
{
continue;
}
$block_is_fixed = ($fixed[$item[$i]]=='1'? '1' : '0');
$ok = $DB->execute(' UPDATE nv_blocks SET position = '.($i+1).', fixed = '.$block_is_fixed.' WHERE id = '.$item[$i].'// trigger here AND website = '.$website->id
Attacker can inject in block-order through http request. A sample request traffic:
This can be reflected in the backend database result. Didn't further justify the sql injection outcomes but clearly attacker can do arbitrary sql query.
Vulnerability 2: id at items.php
Vulnerable code item.php:
//package/lib/packages/items/items.php
function run()
{
global $layout;
global $DB;
global $website;
global $theme;
global $user;
$out = '';
$item = new item();
switch($_REQUEST['act'])
{
case "change_comment_status": // change comment status
if(empty($_REQUEST['id']))
{
echo "false";
core_terminate();
}
switch($_REQUEST['opt'])
{
case 'publish':
$DB->execute('
UPDATE nv_comments
SET status = 0
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'unpublish':
$DB->execute('
UPDATE nv_comments
SET status = 1
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'delete':
$DB->execute('
DELETE FROM nv_comments
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
}
//package/lib/packages/products/products.php
function run()
{
global $layout;
global $DB;
global $website;
global $theme;
global $user;
$out = '';
$item = new product();
switch($_REQUEST['act'])
{
**case 'products_order':**
if(!empty($_POST['products-order']))
{
if(naviforms::check_csrf_token('header'))
{
// save new order
$response = product::reorder($_POST['products-order']);
if($response!==true)
{
echo $response['error'];
}
else
{
echo 'true';
}
}
}
//package/lib/packages/products/products.php
case "change_comment_status":
if(empty($_REQUEST['id']))
{
echo "false";
core_terminate();
}
switch($_REQUEST['opt'])
{
case 'publish':
$DB->execute('
UPDATE nv_comments
SET status = 0
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'unpublish':
$DB->execute('
UPDATE nv_comments
SET status = 1
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
case 'delete':
$DB->execute('
DELETE FROM nv_comments
WHERE website = '.$website->id.' AND
id = '.$_REQUEST['id']);
break;
}
Attacker can easily craft something like this to trigger the vulnerability
//package/lib/packages/structure/structure.class.phppublicstaticfunctionreorder($parent, $children)
{
global$DB;
global$website;
**$children = explode("#", $children);**
for($i=0; $i < count($children); $i++)
{
if(empty($children[$i]))
{
continue;
}
$ok = $DB->execute('UPDATE nv_structure SET position = '.($i+1).' **WHERE id = '.$children[$i].'** AND parent = '.intval($parent).' AND website = '.$website->id);
if(!$ok)
{
returnarray("error" => $DB->get_last_error());
}
}
returntrue;
}
Attacker can easily craft a traffic as below to cause the injection: http://localhost/navigate/navigate.php?fid=structure&act=reorder&parent=1&children=abc%20or%201=1
The text was updated successfully, but these errors were encountered:
Hi, I would like to report 6 SQL Injection vulnerabilities identified in the latest version of the CMS.
Vulnerability 1:
block_order
injection atblocks.php
vulnerable code:
blocks.php
which triggers
block.class.php
Attacker can inject in
block-order
through http request. A sample request traffic:This can be reflected in the backend database result. Didn't further justify the sql injection outcomes but clearly attacker can do arbitrary sql query.
Vulnerability 2:
id
atitems.php
Vulnerable code
item.php
:Attacker can use a traffic similar to:
Vulnerability 3:
products_order
atproducts.php
Vulnerable code
Then it triggers
Vulnerability 4:
id
inproducts.php
Vulnerable code:
Attacker can easily craft something like this to trigger the vulnerability
Vulnerability 5:
property::reorder
attemplates.php
vulnerable code:
Then step into
Vulnerability 6:
children_order
atstructure.php
Vulnerable code:
Then steps into
Attacker can easily craft a traffic as below to cause the injection:
http://localhost/navigate/navigate.php?fid=structure&act=reorder&parent=1&children=abc%20or%201=1
The text was updated successfully, but these errors were encountered: