ITAS Team found out multiple SQL Injection vulnerabilities in Sefrengo CMS v1.6.1

ITAS Team found out multiple SQL Injection vulnerabilities in Sefrengo CMS v1.6.1

ITAS Team found out multiple SQL Injection vulnerabilities in Sefrengo CMS v1.6.1. The issues are due to the some scripts not properly sanitizing user-supplied input-data. These SQL injection vulnerabilities allow (1) remote attackers to execute arbitrary SQL commands via the sefrengo cookie in a login to backend/main.php or (2) remote authenticated users to execute arbitrary SQL commands via the value_id parameter in a save_value action to backend/main.php.
Individuals and organizations are using this CMS should note and update to date the latest version.

Vulnerability information:
– Vulnerability: SQL Injection
– Vendor: http://www.sefrengo.org/
– Download link: http://forum.sefrengo.org/index.php?showtopic=3368 (https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07)
– Affected version: Sefrengo CMS v1.6.1
– Fixed version: Sefrengo CMS v1.6.2
– CVE ID: CVE-2015-1428
– Author: Nguyen Hung Tuan (tuan.h.nguyen@itas.vn) & ITAS Team (www.itas.vn)

::VULNERABILITY DETAIL::
POST /sefrengo/backend/main.php?idcatside= HTTP/1.1
Host: itaslab.vn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://itaslab.vn/sefrengo/backend/main.php
Cookie: browserspy_js=1; sefrengo=[SQL INJECTION HERE]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 707

username=abc&password=abc&Submit=Login+%C2%BB&sid_sniffer=5%2C5%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2
Ctrue%2Cfalse%2Ctrue%2Ctrue%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2C
false%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2C1.5%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Ctrue%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Ctrue%2Ctrue%2Cfalse&response=
&area=con

– Vulnerable file: /backend/external/phplib/ct_sql.inc
– Vulnerable function: function ac_get_value($id, $name)
– Vulnerable parameter: $id
– Vulnerable code:
function ac_get_value($id, $name) {
global $cms_db;
$this->db->query(sprintf(“select val from %s where sid = ‘%s’ and name = ‘%s’”,
$cms_db[‘sessions’],
$id,
addslashes($name)));
if ($this->db->next_record()) {
$str = $this->db->f(“val”);
$str2 = base64_decode( $str );

if ( ereg(“^”.$name.”:.*”, $str2) ) {
$str = ereg_replace(“^”.$name.”:”, “”, $str2 );
} else {

$str3 = stripslashes( $str );

if ( ereg(“^”.$name.”:.*”, $str3) ) {
$str = ereg_replace(“^”.$name.”:”, “”, $str3 );
} else {

switch ( $this->encoding_mode ) {
case “slashes”:
$str = stripslashes($str);
break;

case “base64”:
default:
$str = base64_decode($str);
}
}
};
return $str;
};
return “”;
}

Demonstration video

Link 2

POST /sefrengo/backend/main.php HTTP/1.1
Host: itaslab.vn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://itaslab.vn/sefrengo/backend/main.php?area=settings&action=edit&vid=4491
Cookie: browserspy_js=1; sefrengo=8167bb07461d09b026b28179f7863562
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

value_to_save=45&sefrengo=8167bb07461d09b026b28179f7863562&area=settings&action=save_value&value_id=[SQL INJECTION HERE]&x=6&y=8

– Vulnerable file:
– Vulnerable function: function set_value($mixed)
– Vulnerable parameter: vid
– Vulnerable code:
function set_value($mixed)
{
global $cms_db, $db;
//build query
$sql_group = (empty($mixed[‘group’])) ? 0: ”.$mixed[‘group’];
$sql_client = (empty($mixed[‘client’])) ? ”: ‘AND idclient IN (‘. $mixed[‘client’] .’)’;
$sql_lang = (empty($mixed[‘lang’])) ? ”: ‘AND idlang IN (‘. $mixed[‘lang’] .’)’;
$sql_key = (empty($mixed[‘key’])) ? ”: ‘AND V.key1 = “‘. $mixed[‘key’] . ‘” ‘;
$sql_key2 = (empty($mixed[‘key2’])) ? ”: ‘AND V.key2 = “‘. $mixed[‘key2’] . ‘” ‘;
$sql_key3 = (empty($mixed[‘key3’])) ? ”: ‘AND V.key3 = “‘. $mixed[‘key3’] . ‘” ‘;
$sql_key4 = (empty($mixed[‘key4’])) ? ”: ‘AND V.key4 = “‘. $mixed[‘key4’] . ‘” ‘;
$sql_id = (empty($mixed[‘id’])) ? “”: “AND V.idvalues = ‘”. $mixed[‘id’] . “‘ “;
$sql = “SELECT *
FROM “. $cms_db[‘values’] .” AS V
WHERE V.group_name IN (‘$sql_group’)
$sql_client $sql_lang
$sql_key $sql_key2 $sql_key3 $sql_key4 $sql_id”;
//die($sql);
$db -> query($sql);
$count_rows = $db ->num_rows();
if($count_rows > 1){
echo $sql .’
Fehler in Klasse “cms_value_ct”. Es wurde mehr als ein Ergebnis gefunden. Anfrage ist nicht eindeutig’;
exit;
}
elseif($count_rows == 1){
$db -> next_record();
$mixed[‘id’] = $db -> f(‘idvalues’);
//echo “update”;
$this -> _update_by_id($mixed);
}
else{
$this -> insert($mixed);
}
}

Demonstration video

Information disclosure:
– 01/08/2015: Send the detail of vulnerabilities to vendor and Vendor confirmed
– 01/25/2015: Vendor releases patch
– 01/26/2015: ITAS Team publishes information
References:
– https://github.com/sefrengo-cms/sefrengo-1.x/commit/22c0d16bfd715631ed317cc990785ccede478f07
– http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1428