Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
• Software Link:
• Affected Versions:
Version 5.7.3.1, 5.7.4, and probably other versions.
• Vulnerability Description:
The vulnerable code is located in /concrete/src/Permission/Access/Access.php:
168protected function buildAssignmentFilterString($accessType, $filterEntities)
169{
170 $peIDs = '';
171 $filters = array();
172 if (count($filterEntities) > 0) {
173 foreach ($filterEntities as $ent) {
174 $filters[] = $ent->getAccessEntityID();
175 }
176 $peIDs .= 'and peID in (' . implode($filters, ',') . ')';
177 }
178 if ($accessType == 0) {
179 $accessType = '';
180 } else {
181 $accessType = ' and accessType = ' . $accessType;
182 }The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands. Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.
• Solution:
Update to version 5.7.4.1 or later.
• Disclosure Timeline:
[05/05/2015] – Vulnerability details sent through HackerOne
[12/05/2015] – Vendor said a patch has been committed and will be available in the next version
[12/05/2015] – Version 5.7.4.1 released along with the patch for this vulnerability
[11/06/2015] – Vulnerability publicly disclosed on HackerOne
[11/06/2015] – CVE number requested
[11/06/2015] – Publication of this advisory
[23/06/2015] – CVE number assigned
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2015-4724 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano of Minded Security.