SQL Injection in Code Igniter used by PyroCMS

[stevenseeley]

Given that the bug is actually in Code Igniter and has been patched some time ago (2 years actually) see: nonchip/CodeIgniter@e273dc5, you should really update the version of Code Igniter.

The following Proof of Concept demonstrates exploitation of the vulnerability, although currently administrative access is required:

POST /pyro/index.php/admin/blog HTTP/1.1
Host: [target]
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Cookie: 172_csrf_cookie_name=2fd4b318821f87d4c2352ea609416dfe; 172_identity=unknown%40gmail.comcbe393e5f87e77fd35; 172_remember_code=7321948492007078a2c9a60d012ad8b18d5c6105
Content-Length: 62

csrf_hash_name=2fd4b318821f87d4c2352ea609416dfe&f_keywords=a%’+or+1=sleep(10)#%

Kind regards,

Steven Seeley

[philsturgeon]

1. If your admins are trying to hack your database then you should probably fire those admins.
2. You have not specified a version. We don't arbitrarily upgrade CodeIgniter throughout the lifetime of a PyroCMS 2.x branch, so if this is v2.2 then of course CodeIgniter is a little old. It was on the latest official release of CodeIgniter at the time, and they haven't had any official releases in a while.
3. This is not how you report security issues, regardless of their size or impact.

[stevenseeley]

1. What is if its not your admins?
2. '2.2.3 community edition', I always test the latest
3. I don't care how you think I should report them, you are even lucky I am reporting them in the first place.

Its fine, I have other more 'critical' vulnerabilities that I will not share with you, I'm happy to just keep them private or maybe I will just release a fully weaponized exploit just, you know, for your weeping pleasure.

[RyanThompson]

Hey @Net-ninja - thanks for the heads up man. If you would like to share them directly - feel free to email me at ryan@aiwebsystems.com - I will be glad to review and share with the team.

Kinds regards,

Ryan

[philsturgeon]

@Net-ninja: It is incredibly standard practice across open-source to report potential security bugs to the development team in a responsible manner.

Maybe we should put together a page like Drupal, so that people know that?

https://drupal.org/security-team/report-issue

Regardless, if you would like to send us an email then that would be very much appreciated. You can address it to phil@pyrocms.com or get in touch with Ryan. Either way please do not post security issues publicly or you are putting people at risk, which is reckless and selfish.

[philsturgeon]

I have tested this out, confirmed the issue is in 2.2/develop, and pushed a fix to that branch. We'll be releasing 2.2.4 very soon, so this will not be a problem for long.

That said I did have trouble trying to find effective attack vectors. Thanks to CodeIgniter being completely unable to allow multiple queries, early termination is ineffective as it just calls it a syntax error. We are safe from our admins trying to bobby tables the website, and they are unable to expose information due to the placement of the item being a where condition.

Definitely a problem, definitely something that should be fixed, definitely worth pointing it out, but any of our users that wander onto this issue should not be scared. Your admin users (or moderators) could potentially spam your DB with a fair few sleep requests and max out the DB connections, but nothing too destructive it seems.

This is yet another reason why jumping ship on CodeIgniter is a great idea. Their DB system has been plagued with bugs for a while, and this issue is not something that surprises me too much.

[stevenseeley]

@RyanThompson Np buddie, any bug I come up with I will report to you its a shame you work with people like @philsturgeon. 'admin bobby tables, sheesh'.

@philsturgeon If I get a chance, i'll write that remote exploit and share it with a few friends :-) ill make sure it affects the 'Professional' edition too.

[philsturgeon]

I am not particularly sure what your problem here is Steven?—
Sent from Mailbox

On Fri, Apr 25, 2014 at 9:48 PM, Steven Seeley notifications@github.com
wrote:

@RyanThompson Np buddie, any bug I come up with I will report to you its a shame you work with people like @philsturgeon. 'admin bobby tables, sheesh'.

@philsturgeon If I get a chance, i'll write that remote exploit and share it with a few friends :-) ill make sure it affects the 'Professional' edition too.

Reply to this email directly or view it on GitHub:
#3278 (comment)

[ryun]

Hey @Net-ninja, so you know how to run metasploit-framework whoop!, does that give you any real power or knowledge.. no.. so get off your high-horse, and be apart of the community.

NOTE: Usually you would report it to the vendor(PyroCMS) in private first, and give them proper time to fix it before you release it to the public..

[RyanThompson]

There is no high horse about it. He wants to be treated with the same respect as any other human being.

I am what I would consider a pretty damn good developer and even better businessman and leader. I know all about preventing vulnerabilities but not much at all about sniffing them out or exploring them let alone formulating an attack on one.

So if I were to do the same thing.. I'd be somewhat pissed at the general response too.

This skill, in my opinion is of great value and any information on this front should be swiftly met with a kind thank you first and foremost. Along with some probing questions if needed and a kind reminder to keep this out of the public eye.

I would have posted it here. I don't know any better. It's not my thing.

Furthermore we don't have a security section, a security email even and our contribution says it should come through GitHub and codeigniter is grossly outdated. Shame on us for that matter.

Can't assume he knows. So say thanks, remind / inform him and see about deleting he public view and make it easier going forward.

That's what I have to say about it anyways..

[philsturgeon]

Maybe it's my mistake. I thought it was generally an understood norm in the industry that you don't post security issues in a public forum.

I've discovered bugs in other systems and just poked people via email. We've had a few people do the same over the years. It's never been a problem and I've never faced any confusion on the subject.

I'm not trying to give anyone a hard time, but there is obvious frustration that somebody would post a security issue directly online. This was the second in a day and the first guy posted a blog about it!

When I pointed this out here the response was a combination of weird threats and promises of attacks. Not sure what that is all about. If it's because I didn't put enough thank your in my response then I'm sorry about that.

I don't like threats, but I appreciate contributions in any form.

Cheers.
—
Sent from Mailbox

On Sat, Apr 26, 2014 at 12:50 AM, Ryan Thompson notifications@github.com
wrote:

There is no high horse about it. He wants to be treated with the same respect as any other human being.
I am what I would consider a pretty damn good developer and even better businessman and leader. I know all about preventing vulnerabilities but not much at all about sniffing them out or exploring them let alone formulating an attack on one.
So if I were to do the same thing.. I'd be somewhat pissed at the general response too.
This skill, in my opinion is of great value and any information on this front should be swiftly met with a kind thank you first and foremost. Along with some probing questions if needed and a kind reminder to keep this out of the public eye.
I would have posted it here. I don't know any better. It's not my thing.
Furthermore we don't have a security section, a security email even and our contribution says it should come through GitHub and codeigniter is grossly outdated. Shame on us for that matter.
Can't assume he knows. So say thanks, remind / inform him and see about deleting he public view and make it easier going forward.

That's what I have to say about it anyways..

Reply to this email directly or view it on GitHub:
#3278 (comment)

[stevenseeley]

@RyanThompson You couldnt be more spot on.

1. I didn't know where to submit security issues, and given the impact of of the vulnerability as @philsturgeon so delicately pointed out, its not as if admins are going to really compromise the host, that is, if its actually admins who have backend access.
2. @RyanThompson Any further issues I will be sure to report via your email and provide proper patches for, thank you for being understanding.
3. @philsturgeon There is no 'norm' for reporting security issues. You have to understand that I reported it out of good faith, if I had known of a security@ mailing address, you can be assured I would have just sent a private email. I actually don't report most of my findings.
4. @philsturgeon lol @ your 'metasploit' comment, considering I actually develop for several private exploit kits. Also, if you don't want threats, think about how you react next time and the 'tone' you use.

kind regards,

mr_me

[philsturgeon]

Well, hang on. You say "There is no 'norm' for reporting security issues." but then you say "if I had known of a security@ mailing address, you can be assured I would have just sent a private email", so... there is a norm, and if it isn't a norm for the industry then you do at least know yourself that these things should not be done publicly. :)

lol @ your 'metasploit' comment

I didn't say anything about "metasploit", you're thinking of @ryun.

Anyway, you've seen offense in something I've said, which is unfortunate.

Thank you again for your contribution. I'll have security@pyrocms.com point to me, and list something in the contribution.md immediately.

[stevenseeley]

Glad we are all sorted.