Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
• Software Link:
• Affected Versions:
Version 5.7.3.1, 5.7.4, and probably other versions.
• Vulnerability Description:
The vulnerable code is located in /concrete/src/Permission/Access/Access.php:
protected function buildAssignmentFilterString($accessType, $filterEntities)
{
$peIDs = '';
$filters = array();
if (count($filterEntities) > 0) {
foreach ($filterEntities as $ent) {
$filters[] = $ent->getAccessEntityID();
}
$peIDs .= 'and peID in (' . implode($filters, ',') . ')';
}
if ($accessType == 0) {
$accessType = '';
} else {
$accessType = ' and accessType = ' . $accessType;
}
The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands. Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.
• Solution:
Update to version 5.7.4.1 or later.
• Disclosure Timeline:
[05/05/2015] – Vulnerability details sent through HackerOne
[12/05/2015] – Vendor said a patch has been committed and will be available in the next version
[12/05/2015] – Version 5.7.4.1 released along with the patch for this vulnerability
[11/06/2015] – Vulnerability publicly disclosed on HackerOne
[11/06/2015] – CVE number requested
[11/06/2015] – Publication of this advisory
[23/06/2015] – CVE number assigned
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-4724 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano of Minded Security.
• Other References:
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-3
https://hackerone.com/reports/59664