search

NavigateCMS / Navigate-CMS

Navigate CMS, a very powerful open source content management system for everybody.
http://www.navigatecms.com
GNU General Public License v2.0
8 stars 4 forks source link

SQL injection UNION attack with quicksearch parameter in NavigateCMS 2.9 #25

Closed hydrasky-team closed 3 years ago

hydrasky-team commented 3 years ago

EXPECTED BEHAVIOUR An authenticated malicious user can take advantage of a SQL injection UNION attack vulnerability with quicksearch parameter in URL.

IMPACT A successful SQL injection attack may result in the unauthorized viewing of user lists, the deletion of entire tables and, in certain cases, the attacker gaining administrative rights to a database, all of which are highly detrimental to a business.

VULNERABILITY CODE I found quicksearch parameter is not handled in SQL query with WHERE clause in \lib\packages\comments\comments.php

image

And the protect function in \lib\core\core.php is not use ESCAPE to filter special characters

image

Then it is use to query in: \lib\core\database.class.php

image

STEPS TO REPRODUCE

  1. We change the request in URL

GET /navigate/navigate/navigate.php?fid=comments&act=json&_search=true&quicksearch=%25")+UNION+ALL+SELECT+DATABASE(),null,null,null,null,null,null,VERSION()%3b--&_search=false&nd=1623493056682&rows=30&page=1&sidx=date_created&sord=desc&filters=

  1. And then we could exploit all the data.

image

NavigateCMS commented 3 years ago

Fixed by b2937f5839f25b7c16a2533ea668c1b202e9fc0c

Thank you very much @hydrasky-team