Symphony CMS "fields[username]" and "sort" SQL Injection

by Carol~ Moderator - 4/4/13 12:11 PM

In Reply to: VULNERABILITIES / FIXES - April 04, 2013 by Carol~ Moderator

Symphony CMS "fields[username]" and "sort" SQL Injection Vulnerabilities

Release Date : 2013-04-04

Criticality level : Less critical
Impact : Manipulation of data
Where : From remote
Solution Status: Unpatched

Software: Symphony CMS 2.x

Description:
Two vulnerabilities have been discovered in Symphony CMS, which can be exploited by malicious users to conduct SQL injection attacks.

1) Input passed via the "fields[username]" POST parameter to symphony/system/authors/edit is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed via the "sort" GET parameter to symphony/system/authors is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities are confirmed in version 2.3.2. Other versions may also be affected.

Solution:
No official solution is currently available.

Provided and/or discovered by:
1) Eldar "Wireghoul" Marcussen
2) High-Tech Bridge SA

Original Advisory:
Eldar "Wireghoul" Marcussen:
http://www.exploit-db.com/exploits/22039/

HTB23148:
https://www.htbridge.com/advisory/HTB23148

http://secunia.com/advisories/52840/