Lucene search

packetstormElar LangPACKETSTORM:139464
HistoryNov 01, 2016 - 12:00 a.m.

dotCMS 3.x SQL Injection

Elar Lang

0.004 Low




`Title: Multiple SQL injection vulnerabilities in dotCMS (8x CVE)  
Credit: Elar Lang /  
Vendor/Product: dotCMS (  
Vulnerability: SQL injection  
Vulnerable version: before 3.5; 3.3.1 and 3.3.2 (depends on CVE)  
CVE: CVE-2016-8902, CVE-2016-8903, CVE-2016-8904, CVE-2016-8905,  
CVE-2016-8906, CVE-2016-8907, CVE-2016-8908, CVE-2016-4040  
# Multiple SQL injections in dotCMS framework.  
## CVE-2016-8902 - categoriesServlet, sort  
SQL injection vulnerability in the categoriesServlet in dotCMS before  
3.3.1 allows remote not authenticated attackers to execute arbitrary  
SQL commands via the sort parameter.  
Preconditions: None. No authentication needed.  
Proof-of-Concept URL, vulnerable parameter is "sort":  
## CVE-2016-8903 - "Templates pages", _EXT_13_orderby  
SQL injection vulnerability in the "Site Browser > Templates pages"  
screen in dotCMS before 3.3.1 allows remote authenticated attackers to  
execute arbitrary SQL commands via the _EXT_13_orderby parameter.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Templates  
pages", click on some column title in the resultset table):  
## CVE-2016-8904 - "Containers pages", _EXT_12_orderby  
SQL injection vulnerability in the "Site Browser > Containers pages"  
screen in dotCMS before 3.3.1 allows remote authenticated attackers to  
execute arbitrary SQL commands via the _EXT_12_orderby parameter.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Containers  
pages", click on some column title in the resultset table):  
## CVE-2016-8905 - JSONTags servlet, sort  
SQL injection vulnerability in the JSONTags servlet in dotCMS before  
3.3.1 allows remote authenticated attackers to execute arbitrary SQL  
commands via the sort parameter.  
Preconditions: attacker must be authenticated.  
/JSONTags?start=0&count=10&sort=tagname SQLi  
## CVE-2016-8906 - "Links pages", _EXT_18_orderby  
SQL injection vulnerability in the "Site Browser > Links page" screen  
in dotCMS before 3.3.1 allows remote authenticated attackers to  
execute arbitrary SQL commands via the _EXT_18_orderby parameter.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > Links  
pages", click on some column title in the resultset table):  
## CVE-2016-8907 - "Content Types", _EXT_STRUCTURE_orderBy and  
SQL injection vulnerability in the "Content Types > Content Types"  
screen in dotCMS before 3.3.1 allows remote authenticated attackers to  
execute arbitrary SQL commands via the _EXT_STRUCTURE_orderBy and  
_EXT_STRUCTURE_direction parameters.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content  
Types", click on some column title in the resultset table)  
## CVE-2016-8908 - "HTML pages", _EXT_15_orderby  
SQL injection vulnerability in the "Site Browser > HTML pages" screen  
in dotCMS before 3.3.1 allows remote authenticated attackers to  
execute arbitrary SQL commands via the _EXT_15_orderby parameter.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Site Browser > HTML  
pages", click on some column title in the resultset table):  
## CVE-2016-4040 - "Workflow", _EXT_15_orderby  
SQL injection vulnerability in the "Workflow Screen" in dotCMS before  
3.3.2 allows remote administrators to execute arbitrary SQL commands  
via the _EXT_15_orderby parameter.  
Preconditions: attacker must be authenticated.  
Proof-of-Concept URL (from "Admin Site" UI: "Home > Workflow tasks",  
click on some column title in the resultset table)  
# Vulnerability Disclosure Timeline  
2015-12-14 | me > dotCMS | 8 SQL injection vulnerabilities  
2015-12-14 | dotCMS > me | they were planning fixes in upcoming  
release, estimated to beginning of 2016  
2016-03-16 | dotCMS | dotCMS version 3.3.1 release (CVE-2016-4040  
still not fixed)  
2016-04-07 | me > dotCMS | what is the situation with reported vulnerabilities?  
2016-04-07 | dotCMS > me | CVE-2016-4040 will be fixed in 3.5, which  
is estimated to be out in mid-April  
2016-04-19 | dotCMS | dotCMS version 3.5 release  
2016-05-10 | dotCMS | dotCMS version 3.3.2 release  
2016-10-31 | me | Full Disclosure on  
# Related fixes and releases  
Elar Lang  
Blog @  
Pentester, lecturer @  

0.004 Low




Related for PACKETSTORM:139464