|Title:||Symphony CMS multiple vulnerabilities|
|Version:||2.6.5 and probably prior|
|Vulnerability type:||SQL-injection, Unrestriced File Upload|
|Risk level:||4 / 5|
|Credit:||Filippo Cavallarin – wearesegment.com|
Symphony CMS suffers from multiple vulnerabilities:
– SQL Injection
The contentAjaxQuery class suffers from a SQL-Injection vulnerability because the request parameter “query” is used to build a sql query without beeing properly sanitized. In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user.
The following proof-of-concept demostrates this issue by listing users credentials:
– Unrestricted file upload
Symphony CMS suffers from an Unrestricted File Upload vulnerability that leads to remote code execution in the context of the web server.
It is possible for a non-privileged user to upload a .php file into the webroot and execute arbitrary php code.
In order to exploit this issue, an attaccker must be logged into the application as a non-privileged user and it must exist at least one “section” with a file upload filed.
To reproduce the issue, follow the steps below:
- As an admin create a Section with a File Upload field
- Log as an author and create new entry with the newly created section
- Upload a .php file (ie tmp.php) and load it with the browser (ie http://symphony-cms.local/workspace/tmp.php)
Upgrade to Symphony CMS version 2.6.6