Netvolution CMS v2.5.8 is vulnerable to a blind SQL injection attack in the HTTP “referer” header. A malicious user may utilize this vulnerability to modify content on the vulnerable website, inject malicious javascript code to a visitor’s browser, collect CMS usernames and plaintext passwords and, in some cases, execute commands on the system hosting the database server. This is a critical vulnerability since it does not require authentication and its exploitation may go undetected. Netvolution [1] is a commercial content management system by ATCOM S.A. [2] with a large number of installations, most of them belonging to Greek companies and organizations. It appears that the Netvolution platform has both ASP and PHP implementations. This advisory concerns a bug found in the ASP implementation (version 2.5.8). We were unable to verify with the vendor if this bug also affects other versions of the ASP (or PHP) codebase. The bug is located in the code that parses the “HTTP Referer” header value. An attacker may inject arbitrary SQL commands to the Netvolution database by using a “Referer” header like the following: Referer: 1','0'); SQL In the above example “SQL” is a placeholder; the attacker would replace this with the SQL commands to be executed by the database server. The CMS does not provide feedback on the output of the SQL commands but collection of this output is still possible through “blind” SQL Injection techniques. More information about this vulnerability and a Proof of Concept are available here [3]. As header field values are normally not included in HTTP transaction logs, an attack based on this vulnerability may go unnoticed by web server administrators. We have repeatedly contacted the software vendor about this issue but we have not received a reply. Administrators of Netvolution websites are advised to check with the software vendor to ensure that they are running a non-vulnerable version of the CMS. The Common Vulnerabilities and Exposures (CVE) project has assigned the candidate name CVE-2011-3340 to this issue. Disclosure Timeline ------------------- CVE assignment: August 30th, 2011 Vendor Contact(s): August 31st, 2011 September 1st, 2011 September 27th, 2011 Public Disclosure: October 3rd, 2011 Credits ------- Vulnerability discovered by: Patroklos Argyroudis Research & Exploitation by: Dimitris Glynos Kind regards, Dimitris Glynos -- http://census-labs.com -- IT security research, development and services [1] http://netvolution.net [2] http://atcom.gr [3] http://census-labs.com/news/2011/10/03/netvolution-referer-SQLi/