ITAS Team đã phát hiện lỗ hổng SQL Injection trong Sefrengo CMS. Thông qua lỗ hổng này, hacker có thể thực thi tùy ý các câu lệnh truy vấn SQL. Nguyên nhân của lỗ hổng là do dữ liệu đầu vào từ người dùng cung cấp không được lọc.
Các cá nhân và tổ chức đang sử dụng CMS này nên chú ý và cập nhật lên phiên bản mới nhất (Sefrengo CMS v1.6.2).

Thông tin về lỗ hổng:
– Lỗ hổng: SQL injection
– Nhà sản xuất: http://www.sefrengo.org/
– Download link: https://github.com/sefrengo-cms/sefrengo-1.x/tree/22c0d16bfd715631ed317cc990785ccede478f07
– Phiên bản lỗi: Sefrengo CMS v1.6.1
– Phiên bản vá: Sefrengo CMS v1.6.2
– CVE ID: CVE-2015-1428
– Phát hiện bởi: Nguyễn Hùng Tuấn (tuan.h.nguyen@itas.vn) & ITAS Team (www.itas.vn)

Chi tiết về lỗ hổng:
Link 1:
POST /sefrengo/backend/main.php?idcatside= HTTP/1.1
Host: itaslab.vn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://itaslab.vn/sefrengo/backend/main.php
Cookie: browserspy_js=1; sefrengo=[SQL INJECTION HERE]
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 707

username=abc&password=abc&Submit=Login+%C2%BB&sid_sniffer=5%2C5%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2
Ctrue%2Cfalse%2Ctrue%2Ctrue%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2C
false%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2C1.5%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Ctrue%2Ctrue%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse
%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Cfalse%2Ctrue%2Ctrue%2Cfalse&response=
&area=con

– Vulnerable file: /backend/external/phplib/ct_sql.inc
– Vulnerable function: function ac_get_value($id, $name)
– Vulnerable parameter: $id
– Vulnerable code:
function ac_get_value($id, $name) {
global $cms_db;
$this->db->query(sprintf(“select val from %s where sid = ‘%s’ and name = ‘%s'”,
$cms_db[‘sessions’],
$id,
addslashes($name)));
if ($this->db->next_record()) {
$str = $this->db->f(“val”);
$str2 = base64_decode( $str );
if ( ereg(“^”.$name.”:.*”, $str2) ) {
$str = ereg_replace(“^”.$name.”:”, “”, $str2 );
} else {
$str3 = stripslashes( $str );
if ( ereg(“^”.$name.”:.*”, $str3) ) {
$str = ereg_replace(“^”.$name.”:”, “”, $str3 );
} else {
switch ( $this->encoding_mode ) {
case “slashes”:
$str = stripslashes($str);
break;
case “base64”:
default:
$str = base64_decode($str);
}
}
};
return $str;
};
return “”;
}

POST /sefrengo/backend/main.php HTTP/1.1
Host: itaslab.vn
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://itaslab.vn/sefrengo/backend/main.php?area=settings&action=edit&vid=4491
Cookie: browserspy_js=1; sefrengo=8167bb07461d09b026b28179f7863562
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 112

value_to_save=45&sefrengo=8167bb07461d09b026b28179f7863562&area=settings&action=save_value&value_id=[SQL INJECTION HERE]&x=6&y=8

– Vulnerable file:
– Vulnerable function: function set_value($mixed)
– Vulnerable parameter: vid
– Vulnerable code:
function set_value($mixed)
{
global $cms_db, $db;
//build query
$sql_group = (empty($mixed[‘group’])) ? 0: ”.$mixed[‘group’];
$sql_client = (empty($mixed[‘client’])) ? ”: ‘AND idclient IN (‘. $mixed[‘client’] .’)’;
$sql_lang = (empty($mixed[‘lang’])) ? ”: ‘AND idlang IN (‘. $mixed[‘lang’] .’)’;
$sql_key = (empty($mixed[‘key’])) ? ”: ‘AND V.key1 = “‘. $mixed[‘key’] . ‘” ‘;
$sql_key2 = (empty($mixed[‘key2’])) ? ”: ‘AND V.key2 = “‘. $mixed[‘key2’] . ‘” ‘;
$sql_key3 = (empty($mixed[‘key3’])) ? ”: ‘AND V.key3 = “‘. $mixed[‘key3’] . ‘” ‘;
$sql_key4 = (empty($mixed[‘key4’])) ? ”: ‘AND V.key4 = “‘. $mixed[‘key4’] . ‘” ‘;
$sql_id = (empty($mixed[‘id’])) ? “”: “AND V.idvalues = ‘”. $mixed[‘id’] . “‘ “;
$sql = “SELECT *
FROM “. $cms_db[‘values’] .” AS V
WHERE V.group_name IN (‘$sql_group’)
$sql_client $sql_lang
$sql_key $sql_key2 $sql_key3 $sql_key4 $sql_id”;
//die($sql);
$db -> query($sql);
$count_rows = $db ->num_rows();
if($count_rows > 1){
echo $sql .’
Fehler in Klasse “cms_value_ct”. Es wurde mehr als ein Ergebnis gefunden. Anfrage ist nicht eindeutig’;
exit;
}
elseif($count_rows == 1){
$db -> next_record();
$mixed[‘id’] = $db -> f(‘idvalues’);
//echo “update”;
$this -> _update_by_id($mixed);
}
else{
$this -> insert($mixed);
}
}

Công bố thông tin:
– 01/08/2015: Thông báo cho nhà sản xuất và nhà sản xuất xác nhận
– 01/25/2015: Nhà sản xuất phát hành bản vá
– 01/26/2015: ITAS Team công bố thông tin lỗ hổng
References:
– https://github.com/sefrengo-cms/sefrengo-1.x/commit/22c0d16bfd715631ed317cc990785ccede478f07
– http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1428