Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability

• Software Link:

https://www.concrete5.org/

• Affected Versions:

Version 5.7.3.1, 5.7.4, and probably other versions.

• Vulnerability Description:

The vulnerable code is located in /concrete/src/Permission/Access/Access.php:

    protected function buildAssignmentFilterString($accessType, $filterEntities)
    {
        $peIDs = '';
        $filters = array();
        if (count($filterEntities) > 0) {
            foreach ($filterEntities as $ent) {
                $filters[] = $ent->getAccessEntityID();
            }
            $peIDs .= 'and peID in (' . implode($filters, ',') . ')';
        }
        if ($accessType == 0) {
            $accessType = '';
        } else {
            $accessType = ' and accessType = ' . $accessType;
        }

The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands. Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.

• Solution:

Update to version 5.7.4.1 or later.

• Disclosure Timeline:

[05/05/2015] – Vulnerability details sent through HackerOne
[12/05/2015] – Vendor said a patch has been committed and will be available in the next version
[12/05/2015] – Version 5.7.4.1 released along with the patch for this vulnerability
[11/06/2015] – Vulnerability publicly disclosed on HackerOne
[11/06/2015] – CVE number requested
[11/06/2015] – Publication of this advisory
[23/06/2015] – CVE number assigned

• CVE Reference:

The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-4724 to this vulnerability.

• Credits:

Vulnerability discovered by Egidio Romano of Minded Security.

• Other References:

https://www.mindedsecurity.com/index.php/research/advisories/msa110615-3
https://hackerone.com/reports/59664