Secunia
Login
|
|
Secunia Research: SyndeoCMS Nine SQL Injection Vulnerabilities |
|
======================================================================
Secunia Research 20/04/2012
- SyndeoCMS Nine SQL Injection Vulnerabilities -
======================================================================
Table of Contents
Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10
======================================================================
1) Affected Software
* SyndeoCMS 3.0.00
NOTE: Other versions may also be affected.
======================================================================
2) Severity
Rating: Less Critical
Impact: Manipulation of Data
Where: Remote
======================================================================
3) Vendor's Description of Software
"A Content Management System (CMS) for primary schools, which helps
you manage and maintain your website. It can also be a very usefull
CMS for small companies or non profit organizations. It is Open Source
Software (that means free to use), licensed under the General Public
license. Syndeocms is my continuation of Site@School 2.4.10.".
Product Link:
http://www.syndeocms.org/
======================================================================
4) Description of Vulnerabilities
Secunia Research has discovered multiple vulnerabilities in SyndeoCMS,
which can be exploited by malicious users to conduct SQL injection
attacks.
1) Input passed via the "class[]" POST parameters (when editing a
teacher within the "Teacher" configuration), the "project[]" POST
parameters (e.g. when editing a pupil within the "Pupils & Groups"
configuration), the "sections" POST parameter (when editing an alert
within the "Alerts" configuration), the "send_email" POST parameter
(when editing a project within the "Projects" configuration), and the
"send_alerts" and "send_alerts_per_section" POST parameters (when
editing the configuration withing the "Alerts" configuration) to
starnet/index.php is not properly sanitised before being used in a SQL
query. This can be exploited to manipulate SQL queries by injecting
arbitrary SQL code.
Successful exploitation of these vulnerabilities requires access
rights to the respective "Configuration" sections.
2) Input passed via the "search_arg" POST parameter to
starnet/index.php (when using the "Search" functionality within the
"Newsletter" module) is not properly sanitised before being used in
SQL queries. This can be exploited to manipulate SQL queries by
injecting arbitrary SQL code.
3) Input passed via the "logging" POST parameter to starnet/index.php
(when creating a poll within the "Polls" module) is not properly
sanitised before being used in a SQL query. This can be exploited to
manipulate SQL queries by injecting arbitrary SQL code.
4) Input passed e.g. via the "article_content" POST parameter to
starnet/index.php (when editing an article within the "News" module)
is not properly sanitised in the "sanitize()" function (starnet/core
/common.inc.php) before being used in a SQL query. This can be
exploited to manipulate SQL queries by injecting arbitrary SQL code.
Successful exploitation of vulnerabilities #2 through #4 requires
access rights to the respective modules in "Module Manager".
======================================================================
5) Solution
Update to version 3.0.01.
======================================================================
6) Time Table
04/08/2011 - Requested security contact.
04/08/2011 - Vendor provides security contact.
06/08/2011 - Vendor notified.
23/09/2011 - Vendor releases version 3.0.
01/10/2011 - Vendor notified of incomplete fixes and
additional vulnerabilities.
24/11/2011 - Additional details provided to the vendor.
13/12/2011 - Requested status update.
29/12/2011 - Requested status update.
15/01/2012 - Vendor releases version 3.0.01.
20/04/2012 - Public disclosure.
======================================================================
7) Credits
Discovered by Secunia Research.
======================================================================
8) References
The Common Vulnerabilities and Exposures (CVE) project has not
currently assigned a CVE identifier for the vulnerabilities.
======================================================================
9) About Secunia
Secunia offers vulnerability management solutions to corporate
customers with verified and reliable vulnerability intelligence
relevant to their specific system configuration:
http://secunia.com/advisories/business_solutions/
Secunia also provides a publicly accessible and comprehensive advisory
database as a service to the security community and private
individuals, who are interested in or concerned about IT-security.
http://secunia.com/advisories/
Secunia believes that it is important to support the community and to
do active vulnerability research in order to aid improving the security
and reliability of software in general:
http://secunia.com/secunia_research/
Secunia regularly hires new skilled team members. Check the URL below
to see currently vacant positions:
http://secunia.com/corporate/jobs/
Secunia offers a FREE mailing list called Secunia Security Advisories:
http://secunia.com/advisories/mailing_lists/
======================================================================
10) Verification
Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-10/
Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/
======================================================================
|
|
