Page 1 of 1
Injection messages in Admin Log
Posted: Tue Mar 15, 2022 8:34 pm
by MantaPro
I have a few cmsms installs where I keep getting messages such as this showing up in the Admin logs
Code: Select all
Unable to load template 'cms_template:News Detail'nvOpzp; AND 1=1 OR (<'">iKO)),' in 'tpl_top:25'
module_db_tpl:LISEVacancies;detail_Http://Www.Google.Com is an invalid CMSMS resource specification
module_db_tpl:LISEVacancies;detail_/etc/passwd is an invalid CMSMS resource specification
Unable to load template 'module_db_tpl:LISEVacancies;detail_AC Vacancy Detail'[0]'
These all look to me to OS Injection attacks; and the fact that someone (or their bots) probe for vulnerabilities is sadly to be expected nowadays. What does surprise me a little is that the URL get param which is being tampered with are getting passed through the CMSMS Core to the News and LISE modules and being included in the DB calls. I've wrongly assumed that the core would be sanitising all get params to prevent this kind of injection attack.
My core, News, LISE and a few other modules are a couple of versions out of date - so I will get everything up to date then see it this probing is still getting in to the DB calls.
Anyone know if the vulnerability has been fixed in the latest versions or anyone else getting Smarty Error messages in their Admin Log like this using the latest versions ?. If there is I will have to work my way through the Core and Module code to work out how URL params are handled and where it is (or should be) sanitised
Re: Injection messages in Admin Log
Posted: Wed Mar 16, 2022 9:25 am
by jce76350
For Smarty update see
Maj Smarty et modules PHP 8.x
from (International Discussions French - Français)
Re: Injection messages in Admin Log
Posted: Tue Mar 22, 2022 2:44 pm
by MantaPro
Thank you Jean-Claude Etiemble
I have updated to CMSMS v2.2.16 and all modules to their latest. Suspicious messages in Admin Log much reduced, but there are still a few - particularly around the LISE Template
Code: Select all
Unable to load template 'module_db_tpl:LISEVacancies;detail_AC Vacancy Detail'A=0'
cms_template:../ is an invalid CMSMS resource specification
There is a whole lot of regex validation commented out in class.LISEURLOperations.php and in LISE.module.php and action.detail.php there is an absence of any param clean up such as urlencode(trim($params['detailtemplate'])) but I have zero insight in to how LISE has been coded; I need to read the regex in LISEURLOperations a bit closer to understand what it is filtering
Re: Injection messages in Admin Log
Posted: Tue Mar 29, 2022 4:08 am
by MantaPro
After having updated core and all modues to the latest - been keeping an eye on the Admin log to see if an injection attacks are getting deeper in to the system than perhaps they out to ..... by sifting through the HTTP access logs I can see that this is the URL that still triggers the error message in the admin log
Code: Select all
index.php?mact=LISEVacancies,cntnt01,detail,0&cntnt01item=care_assistant&cntnt01template_summary=AC Welcome&cntnt01detailpage=vacancy-detail-page&cntnt01template_detail=/etc/passwd&cntnt01returnid=29
It is a call to display a page that contains data from in a LISE instance using what ought to be a specific LISE detail template - but note the injection hackers are messing with the template name - they are trying to do an OS injection via /etc/passwd as the template name. Bit surprising that it gets as far as /lib/classes/internal/class.Smarty_CMS.php where it fails some validation in "create template" causing a SMARTY dump (good that it simply fails validation rather than in a SQL call etc - but this seems about 3 or 4 steps late in shutting down this abuse. Here is the SMARTY trace
Code: Select all
#0 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/class.Smarty_CMS.php(365): Smarty_CMS->createTemplate('module_db_tpl:L...', '', 'LISEVacancies', Object(Smarty_CMS))
#1 /homepages/38/d242029264/htdocs/acgtest/lib/classes/internal/module_support/modtemplates.inc.php(174): Smarty_CMS->fetch('module_db_tpl:L...', '', 'LISEVacancies')
#2 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(2647): cms_module_ProcessTemplateFromDatabase(Object(LISEVacancies), 'detail_/etc/pas...', '', false, 'LISEVacancies')
#3 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/framework/action.detail.php(176): CMSModule->ProcessTemplateFromDatabase('detail_/etc/pas...')
#4 /homepages/38/d242029264/htdocs/acgtest/modules/LISE/lib/class.LISEInstance.php(536): include('/homepages/38/d...')
#5 /homepages/38/d242029264/htdocs/acgtest/lib/classes/class.CMSModule.php(1479): LISEInstance->DoAction('detail', 'cntnt01', Array, '29')
#6 /homepages/38/d242029264/htdocs/acgtest/lib/page.functions.php(550): CMSModule->DoActionBase('detail', 'cntnt01', Array, '29', Object(Smarty_CMS))
#7 /homepages/38/d242029264/htdocs/acgtest/index.php(156): preprocess_mact('29')
#8 {main}
At step #5 in /lib/classes/class.CMSModule.php(1479) ; just prior to this in lines 1446 and 1457-1461 some URL parameter clean up is done in the core but clearly is failing to trap the "/etc/passwd" string which seems odd - I think any URL parameter containing "/" ought to be cleaned/rejected.
I am not sure what ->_cleanParamHash does I will review that next
Re: Injection messages in Admin Log
Posted: Tue Mar 29, 2022 4:32 am
by MantaPro
OK narrow issue down the bug to /LISE/lib/class.LISEInstance.php
In the "public function InitializeFrontend()" line 178 the template_detail parameter has been overlooked - I will report a bug via LISE's tracker
Re: Injection messages in Admin Log
Posted: Tue Mar 29, 2022 7:03 am
by velden
Thank you for diving into this