Bot24.com

Contao 2.11.6 Path Disclosure Vulnerability

2012-10-25

_________________________________________________________________________
title: Contao 2.11.6 Multiple vulnerabilities
vulnerable version: 2.11.6
impact: medium
homepage: www.contao.org
found: 23.10.2012
by: aulmn
_________________________________________________________________________

Vendor description:
Contao is an open source content management system (CMS) for people
who want a professional internet presence that is easy to maintain.

_________________________________________________________________________

Vulnerability overview/description:

Because of wrong validation of filter.x parameter, there is possible of
sql-leak.
Vulnerability exists for logged-in users (not confirmed to pre-auth).

_________________________________________________________________________

Proof of concept:
1) to get to know 'what-is-the-validation-here', just work with payload for
filter.x parameter:
Sample output will be like this:
"
Fatal error: Uncaught exception Exception with message Query error:
Undeclared variable: XSS (SELECT * FROM tl_theme ORDER BY name LIMIT
XSS Example$(function() {$('#users').each(function() {var select =
$(this);var
option=select.children('option').first();select.after(option.text());select.hide();});});
[lt]script[gt]alert('xss');[lt]/script[gt],30)
thrown in /home/contao/contao-2.11.6/system/libraries/Database.php on line
686"

2) To make sql-leak here:
Request to vulnerable Contao CMS should look like this:
---8
query()
#1 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(3831):
Database_Statement->execute(Array)
#2 /home/contao/contao-2.11.6/system/drivers/DC_Table.php(344):
DC_Table->listView()
#3 /home/contao/contao-2.11.6/system/modules/backend/Backend.php(287):
DC_Table->showAll()
#4 /home/contao/contao-2.11.6/contao/main.php(120):
Backend->getBackendModule('themes')
#5 /home/contao/contao-2.11.6/contao/main.php(230): Main->run()
#6 {main}

---8
//The information contained within this publication is

//supplied "as-is"with no warranties or guarantees of fitness

//of use or otherwise.Bot24, Inc nor Bradley Sean Susser accepts

//responsibility for any damage caused by the use or misuse of

//this information