Concrete5 <= 5.7.4 (Access.php) SQL Injection Vulnerability
• Software Link:
• Affected Versions:
Version 5.7.3.1, 5.7.4, and probably other versions.
• Vulnerability Description:
The vulnerable code is located in /concrete/src/Permission/Access/Access.php:
protected function buildAssignmentFilterString($accessType, $filterEntities) { $peIDs = ''; $filters = array(); if (count($filterEntities) > 0) { foreach ($filterEntities as $ent) { $filters[] = $ent->getAccessEntityID(); } $peIDs .= 'and peID in (' . implode($filters, ',') . ')'; } if ($accessType == 0) { $accessType = ''; } else { $accessType = ' and accessType = ' . $accessType; }
The Access::buildAssignmentFilterString() method uses its $accessType parameter to construct a SQL query without a proper validation at line 181. This can be exploited to inject and execute arbitrary SQL commands. Successful exploitation of this vulnerability requires an account with privileges to edit page permissions.
• Solution:
Update to version 5.7.4.1 or later.
• Disclosure Timeline:
[05/05/2015] – Vulnerability details sent through HackerOne
[12/05/2015] – Vendor said a patch has been committed and will be available in the next version
[12/05/2015] – Version 5.7.4.1 released along with the patch for this vulnerability
[11/06/2015] – Vulnerability publicly disclosed on HackerOne
[11/06/2015] – CVE number requested
[11/06/2015] – Publication of this advisory
[23/06/2015] – CVE number assigned
• CVE Reference:
The Common Vulnerabilities and Exposures project (cve.mitre.org)
has assigned the name CVE-2015-4724 to this vulnerability.
• Credits:
Vulnerability discovered by Egidio Romano of Minded Security.
• Other References:
https://www.mindedsecurity.com/index.php/research/advisories/msa110615-3
https://hackerone.com/reports/59664