Symphony.

I believe this flaw is only the top of the iceberg, as most queries do not check/escape their input, but this is the one I was able to trigger from the URL.

In line 323 of class.frontendpage.php the query should be replaced by:

$sql = "SELECT * FROM `sym_pages` WHERE `path` ".($path ? " = '".mysql_real_escape_string($path)."'" : 'IS NULL')." AND `handle` = '".mysql_real_escape_string($handle)."' LIMIT 1";

To check if a site is vulnerable, just go to http://www.yourdomain.com/’/ if it returns a symphony fatal error, you are vulnerable.

@creativedutchmen - you might upgrade to 2.0.8RC3. 2.0.7 has been nothing but trouble (or that’s been my experience), but since moving to the 2.08 RCs, I haven’t had any trouble. FYI, I checked to see if my 2.0.8 RC3 sites were vulnerable per your test above, and they didn’t return to a fatal error, so maybe this has been taken care of in 2.0.8RC series.

Thanks for notifying the community of your find. If you haven’t done so already, please log this in the Issues section of this site.

If you find vulnerabilities in the core, it is a good idea to send an email to the team before posting the how-to here in the forum. In the past the team has been very responsive (in those rare urgent cases)!

This has been fixed in Symphony 2.0.8RC3: http://getsymphony.com/discuss/issues/view/326/

And to second Michael, please do always contact the team directly before posting a vulnerability in a public forum like this. Thanks!

If you find vulnerabilities in the core, it is a good idea to send an email to the team before posting the how-to here in the forum. In the past the team has been very responsive (in those rare urgent cases)!

Good point, didn’t realise posting it could be worse than the flaw itself. Should I still email the core team, do you think?

Yes, if you find the time please e-mail them with a link to this thread. I think that Nils’ suggestion is very reasonable. People shouldn’t use 2.0.7 anymore, and they will be encouraged to switch by an official release. (Indeed 2.08 RC3 is much better than 2.0.7 ever was.)

People shouldn’t use 2.0.7 anymore, and they will be encouraged to switch by an official release.

I agree. If this is actually a vulnerability, there probably should be another patch to 2.0.7, or 2.0.8/2.1 should be released, in short order.

I don’t like saying what ‘should’ happen without having more skin in the game, but having to upgrade clients to an RC for security would be a little awkward.

To fix this in Symphony 2.0.7 it should be sufficient to replace the current /symphony/lib/toolkit/class.frontendpage.php with this one available on GitHub.

I agree. If this is actually a vulnerability

It is. I just ran a few tests on localhost, and I was able to extract the user info from the database (passwords, tokens, etc).

Also, while trying to exploit the vulnerability on a local site, I found that the errors given by symphony really help finding database structures and other critical data.

Do you think symphony should have two modes (production and development)? That way warnings/errors can be used tracking down errors, but they don’t help hackers on their search for passwords.

This could even be done in the maintenance mode extension. (If not checked: production, if checked: development)

Do you think symphony should have two modes (production and development)? That way warnings/errors can be used tracking down errors, but they don’t help hackers on their search for passwords.

I think this a very good idea! I even think that being unable to switch off those verbose errors resp. warnings should be treated as a bug.

I think this a very good idea! Actually I even think that being unable to switch verbose error messages off should be treated as a bug.

Agreed.

This might be the wrong thread, but why are the passwords in the database md5 hashed? Cracking my standard password (8 chars, mixed upper/lowercase and numeric) takes about 1 second. I think sha (or another safer hash) should be used (or salts, if a different hash is not an option)

The flawed 2.07 installation is still the default download on getsymphony.com

This means every project built on symphony downloaded from this website can be hacked.

This release should be patched ASAP, to make sure as little websites as possible use this flawed version.

Have you contacted Allen and Craig? (team@thisdomain)

Ah, I sent the email to the wrong email address, thanks.

I’ve also opened a ticket about making the verbose error logging optional:

http://getsymphony.com/discuss/issues/view/360/

I’ve opened a ticket on the unsafe md5 hash:

http://getsymphony.com/discuss/issues/view/361/

Thanks, Huib!

The Symphony 2.0.7 download has been retro-patched with the fix from 2.0.8 RC3. We are now moving full-steam ahead on the next version’s release and hope to have that made available this week.

Please note that the 2.0.7 tag on GitHub has not been patched with the fix as back-porting fixes causes versioning related headaches. Those that use GitHub, we recommend using 2.0.8 RC3 or wait until the final version is released soon.