SNS Vulnerability

InstantCMS "orderby" SQL Injection Vulnerability

Description

High-Tech Bridge SA has reported a vulnerability in InstantCMS, which can be exploited by malicious people to conduct SQL injection attacks.
Input passed via the "orderby" POST parameter to e.g. /catalog/2 is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.
The vulnerability is reported in versions 1.10.3 and prior.

Vulnerable Products

Vulnerable Software:
InstantCMS 1.x

Solution

Apply patch. http://www.instantcms.ru/download/patch/security_update_for_iCMS_1.10.3_21-11-2013.zip

CVE

CVE-2013-6839

References

InstantCMS (Russian):
http://www.instantcms.ru/novosti/security-update-1-10-3.html
High-Tech Bridge SA:
https://www.htbridge.com/advisory/HTB23185

Vulnerability Manager Detection

IPS Protection

ASQ Engine alarm	Available Since
SQL injection Prevention - POST : suspicious SELECT statement in data	3.2.0
SQL injection Prevention - POST : possible version probing in data	3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data	3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data	3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data	3.2.0
SQL injection Prevention - POST : suspicious OR statement in data	3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data	3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	3.2.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data	3.2.0
SQL injection Prevention - POST : suspicious CAST statement in data	3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious SELECT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DECLARE statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data	5.0.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data	5.0.0
SQL injection Prevention - POST : suspicious CAST statement in data	5.0.0
SQL injection Prevention - POST : suspicious EXEC statement in data	5.0.0
SQL injection Prevention - POST : suspicious CREATE statement in data	5.0.0
SQL injection Prevention - POST : suspicious INSERT statement in data	5.0.0
SQL injection Prevention - POST : suspicious DROP statement in data	5.0.0
SQL injection Prevention - POST : suspicious HAVING statement in data	5.0.0
SQL injection Prevention - POST : suspicious UNION statement in data	5.0.0
SQL injection Prevention - POST : suspicious OR statement in data	5.0.0
SQL injection Prevention - POST : possible version probing in data	5.0.0

Risk level

Moderate

Vulnerability First Public Report Date

2013-12-11

Target Type

Server

Possible exploit

Remote