Injection messages in Admin Log

[MantaPro]

I have a few cmsms installs where I keep getting messages such as this showing up in the Admin logs

Code: Select all

 	Unable to load template 'cms_template:News Detail'nvOpzp; AND 1=1 OR (<'">iKO)),' in 'tpl_top:25'
 	
 	module_db_tpl:LISEVacancies;detail_Http://Www.Google.Com is an invalid CMSMS resource specification

 	module_db_tpl:LISEVacancies;detail_/etc/passwd is an invalid CMSMS resource specification
 	
       Unable to load template 'module_db_tpl:LISEVacancies;detail_AC Vacancy Detail'[0]'

These all look to me to OS Injection attacks; and the fact that someone (or their bots) probe for vulnerabilities is sadly to be expected nowadays. What does surprise me a little is that the URL get param which is being tampered with are getting passed through the CMSMS Core to the News and LISE modules and being included in the DB calls. I've wrongly assumed that the core would be sanitising all get params to prevent this kind of injection attack.

My core, News, LISE and a few other modules are a couple of versions out of date - so I will get everything up to date then see it this probing is still getting in to the DB calls.

Anyone know if the vulnerability has been fixed in the latest versions or anyone else getting Smarty Error messages in their Admin Log like this using the latest versions ?. If there is I will have to work my way through the Core and Module code to work out how URL params are handled and where it is (or should be) sanitised

[jce76350]

For Smarty update see Maj Smarty et modules PHP 8.x
from (International Discussions French - Français)

[MantaPro]

Thank you Jean-Claude Etiemble

I have updated to CMSMS v2.2.16 and all modules to their latest. Suspicious messages in Admin Log much reduced, but there are still a few - particularly around the LISE Template

Code: Select all

Unable to load template 'module_db_tpl:LISEVacancies;detail_AC Vacancy Detail'A=0'
cms_template:../ is an invalid CMSMS resource specification

There is a whole lot of regex validation commented out in class.LISEURLOperations.php and in LISE.module.php and action.detail.php there is an absence of any param clean up such as urlencode(trim($params['detailtemplate'])) but I have zero insight in to how LISE has been coded; I need to read the regex in LISEURLOperations a bit closer to understand what it is filtering

[MantaPro]

After having updated core and all modues to the latest - been keeping an eye on the Admin log to see if an injection attacks are getting deeper in to the system than perhaps they out to ..... by sifting through the HTTP access logs I can see that this is the URL that still triggers the error message in the admin log

Code: Select all

index.php?mact=LISEVacancies,cntnt01,detail,0&cntnt01item=care_assistant&cntnt01template_summary=AC Welcome&cntnt01detailpage=vacancy-detail-page&cntnt01template_detail=/etc/passwd&cntnt01returnid=29

It is a call to display a page that contains data from in a LISE instance using what ought to be a specific LISE detail template - but note the injection hackers are messing with the template name - they are trying to do an OS injection via /etc/passwd as the template name. Bit surprising that it gets as far as /lib/classes/internal/class.Smarty_CMS.php where it fails some validation in "create template" causing a SMARTY dump (good that it simply fails validation rather than in a SQL call etc - but this seems about 3 or 4 steps late in shutting down this abuse. Here is the SMARTY trace

Code: Select all

#0 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/class.Smarty_CMS.php(365): Smarty_CMS->createTemplate('module_db_tpl:L...', '', 'LISEVacancies', Object(Smarty_CMS))
#1 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/module_support/modtemplates.inc.php(174): Smarty_CMS->fetch('module_db_tpl:L...', '', 'LISEVacancies')
#2 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(2647): cms_module_ProcessTemplateFromDatabase(Object(LISEVacancies), 'detail_/etc/pas...', '', false, 'LISEVacancies')
#3 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/framework/action.detail.php(176): CMSModule->ProcessTemplateFromDatabase('detail_/etc/pas...')
#4 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/lib/class.LISEInstance.php(536): include('/homepages/38/d...')
#5 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(1479): LISEInstance->DoAction('detail', 'cntnt01', Array, '29')
#6 /homepages/38/d242029264/htdocs/acgtest/lib/page.functions.php(550): CMSModule->DoActionBase('detail', 'cntnt01', Array, '29', Object(Smarty_CMS))
#7 /homepages/38/d242029264/htdocs/acgtest/index.php(156): preprocess_mact('29')
#8 {main}

At step #5 in /lib/classes/class.CMSModule.php(1479) ; just prior to this in lines 1446 and 1457-1461 some URL parameter clean up is done in the core but clearly is failing to trap the "/etc/passwd" string which seems odd - I think any URL parameter containing "/" ought to be cleaned/rejected.

I am not sure what ->_cleanParamHash does I will review that next

[MantaPro]

OK narrow issue down the bug to /LISE/lib/class.LISEInstance.php

In the "public function InitializeFrontend()" line 178 the template_detail parameter has been overlooked - I will report a bug via LISE's tracker

[velden]

Thank you for diving into this