Just Another Hacker
Author's avatar

Symphony cms - Multiple vulnerabilities

By Eldar Marcussen

Symphony is an XSLT-powered open source content management system. [ Taken from: http://getsymphony.com/ ]

Vulnerability description

Symphony-cms version 2.3 is vulnerable to several vulnerabilities ranging in severity from low to high and can result in complete compromise by an unauthenticated attacker.

  • Discovered by: Eldar “Wireghoul” Marcussen
  • Vendor: Symphony - http://getsymphony.com
  • Affected versions: 2.3 (and possibly earlier)

Local patch disclosure

Direct requests to library files will disclose the full local file path if php is configured to display errors due to the reliance on the library path being declared in a constant of global scope outside of the library script.

PoC: http://host/path/symphony/lib/boot/bundle.php

User enumeration

The retrive password url http://host/path/symphony/login/retrieve-password/ will display a helpful error message if the email address entered does not exist in the database.

Authentication token brute force

Symphony-cms allows a user to login without entering their username and password via a remote auth url that contains a token made up of the first 8 characters of a sha1 hash of the user’s username and hashed password.

If a user has auth_token_active set to yes in the sym_authors table an attacker can login to their account by brute forcing a key of [0-9A-F]^8 length.

The url http://host/path/symphony/login/[token]/ ie: http://host/path/symphony/login/a39880be/ for the user “admin” with password “admin”.

Cross site scripting

Reflected: The email input field supplied to http://host/path/symphony/login/retrieve-password/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC: Submit form with email address: ">

Reflected: The email input field supplied to http://host/path/symphony/login/ is not sufficiently filtered for malicious characters resulting in reflected cross site scripting.

PoC: username=%22%3E%3C%2Finput%3E%3Cscript%3Ealert%28%27k63ddgb6ra%27%29%3C%2Fscript%3E&password=on

Persistent: The “From name” preference setting in Symphony-cms (http://host/path/symphony/system/preferences/) is not sufficiently encoded resulting in persistent cross site scripting.

PoC: settings%5Bemail_sendmail%5D%5Bfrom_name%5D=Symphony%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Blind sql injection

The username field in the authors detail page is not sufficiently filtered when checking is the username already exists in the system. Resulting in blind sql injection.

PoC: Edit an author’s profile, update the username to include a malicious payload, ie: username’ union select “” FROM sym_authors INTO OUTFILE ’/var/www/workspace/haxed.php where the path to your outfile is based on the local path disclosure.

SQL Injection

The “page” number supplied when editing blueprints is vulnerable to sql injection.

We can retrieve a users username, hashed password and auth token status with the following PoC: http://host/path/symphony/bluePRINTs/pages/edit/0%29+union+select+1,2,username,password,5,auth_token_active,7,8,9+from+sym_authors+where+id+=+1+--+/

Unrestricted file upload

While this appears to be intended functionality for authorised users, combined with the aforementioned vulnerabilities it becomes trivial to place a backdoor on the system.

Solution

Upgrade to version 2.3.1.

Disclosure time line

  • 17-Oct-2012 - Public disclosure
  • 03-Oct-2012 - Issues patched in upcoming release
  • 18-Sep-2012 - Patch checked into git
  • 17-Sep-2012 - Vendor response
  • 14-Sep-2012 - Vendor notified through email

graudit

Static source code analysis tool for finding vulnerabilities in source code.

htshells

Self contained attacks against per directory configuration in web servers.

PHP omelette

Code obfuscation tool for bypassing web application firewalls.

More

All of the project information on one page!

⠓⠁⠉⠅⠑⠗