Secunia Research: SyndeoCMS Nine SQL Injection Vulnerabilities

====================================================================== 

                      Secunia Research 20/04/2012

            - SyndeoCMS Nine SQL Injection Vulnerabilities -

======================================================================
Table of Contents

Affected Software....................................................1
Severity.............................................................2
Vendor's Description of Software.....................................3
Description of Vulnerability.........................................4
Solution.............................................................5
Time Table...........................................................6
Credits..............................................................7
References...........................................................8
About Secunia........................................................9
Verification........................................................10

======================================================================
1) Affected Software

* SyndeoCMS 3.0.00

NOTE: Other versions may also be affected.

======================================================================
2) Severity

Rating: Less Critical
Impact: Manipulation of Data
Where:  Remote

======================================================================
3) Vendor's Description of Software

"A Content Management System (CMS) for primary schools, which helps 
you manage and maintain your website. It can also be a very usefull 
CMS for small companies or non profit organizations. It is Open Source
Software (that means free to use), licensed under the General Public 
license. Syndeocms is my continuation of Site@School 2.4.10.".

Product Link:
http://www.syndeocms.org/

======================================================================
4) Description of Vulnerabilities

Secunia Research has discovered multiple vulnerabilities in SyndeoCMS,
which can be exploited by malicious users to conduct SQL injection 
attacks.

1) Input passed via the "class[]" POST parameters (when editing a 
teacher within the "Teacher" configuration), the "project[]" POST 
parameters (e.g. when editing a pupil within the "Pupils & Groups" 
configuration), the "sections" POST parameter (when editing an alert 
within the "Alerts" configuration), the "send_email" POST parameter 
(when editing a project within the "Projects" configuration), and the 
"send_alerts" and "send_alerts_per_section" POST parameters (when 
editing the configuration withing the "Alerts" configuration) to 
starnet/index.php is not properly sanitised before being used in a SQL 
query. This can be exploited to manipulate SQL queries by injecting 
arbitrary SQL code.

Successful exploitation of these vulnerabilities requires access 
rights to the respective "Configuration" sections.

2) Input passed via the "search_arg" POST parameter to 
starnet/index.php (when using the "Search" functionality within the 
"Newsletter" module) is not properly sanitised before being used in 
SQL queries. This can be exploited to manipulate SQL queries by 
injecting arbitrary SQL code.

3) Input passed via the "logging" POST parameter to starnet/index.php
(when creating a poll within the "Polls" module) is not properly 
sanitised before being used in a SQL query. This can be exploited to 
manipulate SQL queries by injecting arbitrary SQL code.

4) Input passed e.g. via the "article_content" POST parameter to 
starnet/index.php (when editing an article within the "News" module) 
is not properly sanitised in the "sanitize()" function (starnet/core
/common.inc.php) before being used in a SQL query. This can be 
exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of vulnerabilities #2 through #4 requires 
access rights to the respective modules in "Module Manager".

======================================================================
5) Solution

Update to version 3.0.01.

======================================================================
6) Time Table

04/08/2011 - Requested security contact.
04/08/2011 - Vendor provides security contact.
06/08/2011 - Vendor notified.
23/09/2011 - Vendor releases version 3.0.
01/10/2011 - Vendor notified of incomplete fixes and 
             additional vulnerabilities.
24/11/2011 - Additional details provided to the vendor.
13/12/2011 - Requested status update.
29/12/2011 - Requested status update.
15/01/2012 - Vendor releases version 3.0.01.
20/04/2012 - Public disclosure.

======================================================================
7) Credits

Discovered by Secunia Research.

======================================================================
8) References

The Common Vulnerabilities and Exposures (CVE) project has not 
currently assigned a CVE identifier for the vulnerabilities.

======================================================================
9) About Secunia

Secunia offers vulnerability management solutions to corporate 
customers with verified and reliable vulnerability intelligence 
relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory 
database as a service to the security community and private 
individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to 
do active vulnerability research in order to aid improving the security 
and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below 
to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

======================================================================
10) Verification

Please verify this advisory by visiting the Secunia website:
http://secunia.com/secunia_research/2012-10/

Complete list of vulnerability reports published by Secunia Research:
http://secunia.com/secunia_research/

======================================================================