0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
dotCMS 3.x SQL Injection Vulnerability
Author
Risk
[
Security Risk High
]0day-ID
Category
Date add
CVE
Platform
Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE) Credit: Elar Lang / https://security.elarlang.eu Vendor/Product: dotCMS (http://dotcms.com/) Vulnerability: SQL injection Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE) CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905, CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040 # Multiple SQL injections in dotCMS framework. ## CVE-2016-8902 - categoriesServlet, sort SQL injection vulnerability in the categoriesServlet in dotCMS before 3.3.1 allows remote not authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: None. No authentication needed. Proof-of-Concept URL, vulnerable parameter is "sort": /categoriesServlet?start=0&count=10&sort=SQLi ## CVE-2016-8903 - "Templates pages", _EXT_13_orderby SQL injection vulnerability in the "Site Browser > Templates pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_13_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_13&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_13_struts_action=%2Fext%2Ftemplates%2Fview_templates&_EXT_13_pageNumber=1&_EXT_13_orderby=SQLi ## CVE-2016-8904 - "Containers pages", _EXT_12_orderby SQL injection vulnerability in the "Site Browser > Containers pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_12_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_12&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_12_struts_action=%2Fext%2Fcontainers%2Fview_containers&_EXT_12_pageNumber=1&_EXT_12_orderby=SQLi ## CVE-2016-8905 - JSONTags servlet, sort SQL injection vulnerability in the JSONTags servlet in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the sort parameter. Preconditions: attacker must be authenticated. Proof-of-Concept /JSONTags?start=0&count=10&sort=tagname SQLi ## CVE-2016-8906 - "Links pages", _EXT_18_orderby SQL injection vulnerability in the "Site Browser > Links page" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_18_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_18&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_18_struts_action=%2Fext%2Flinks%2Fview_links&_EXT_18_pageNumber=1&_EXT_18_orderby=SQLi ## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and _EXT_STRUCTURE_direction parameters. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content Types", click on some column title in the resultset table) /c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=SQLi&_EXT_STRUCTURE_direction=SQLi ## CVE-2016-8908 - "HTML pages", _EXT_15_orderby SQL injection vulnerability in the "Site Browser > HTML pages" screen in dotCMS before 3.3.1 allows remote authenticated attackers to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML pages", click on some column title in the resultset table): /c/portal/layout?p_l_id=b7ab5d3c-5ee0-4195-a17e-8f5579d718dd&p_p_id=EXT_15&p_p_action=0&p_p_state=maximized&p_p_mode=view&_EXT_15_struts_action=%2Fext%2Fhtmlpages%2Fview_htmlpages&_EXT_15_orderby=modDate,SQLi&_EXT_15_pageNumber=1 ## CVE-2016-4040 - "Workflow", _EXT_15_orderby SQL injection vulnerability in the "Workflow Screen" in dotCMS before 3.3.2 allows remote administrators to execute arbitrary SQL commands via the _EXT_15_orderby parameter. Preconditions: attacker must be authenticated. Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks", click on some column title in the resultset table) /html/portlet/ext/workflows/view_tasks_list.jsp?schemeId=&assignedTo=&createdBy=&stepId=&open=false&closed=true&keywords=&orderBy=SQLi&count=1&page=1 # Vulnerability Disclosure Timeline 2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities 2015-12-14 | dotCMS > me | they were planning fixes in upcoming release, estimated to beginning of 2016 2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040 still not fixed) 2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities? 2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which is estimated to be out in mid-April 2016-04-19 | dotCMS | dotCMS version 3.5 release 2016-05-10 | dotCMS | dotCMS version 3.3.2 release 2016-10-31 | me | Full Disclosure on http://security.elarlang.eu # Related fixes and releases https://dotcms.com/docs/latest/change-log#release-3.3.1 https://dotcms.com/docs/latest/change-log#release-3.5 https://dotcms.com/docs/latest/change-log#release-3.3.2 # 0day.today [2024-07-01] #