The Exponent Content Management System does not correctly sanitise user input to the cron/send_reminders.php script, leading to SQL injection.

Description

File cron/send_reminders.php allows unsanitised input via the src parameter into an SQL query. It can be accessed by unauthorised users.

Impact

Blind SQL injection can allow file upload, which in turn could allow for remote command execution.

Cause

cron/send_reminders.php uses the value $_GET[‘src’] in the function selectObject. Though the value is passed through serialize(), this does not sanitise the input and so allows for SQL injection.

Interim Workaround

Revoke access permissions to send_reminders.php.

Solution

Apply vendor fix.

Technical Description

In cron/send_reminders.php, the $src value uses $_GET[‘src’]. $loc takes $src along with mod and int and passes them into:

$db->selectObject(“calendarmodule_config”,“location_data=‘“.serialize($loc).”’”);

The serialised $loc variable is used (in the case of MySQL) in framework/core/subsystem/database/mysqli.php in the function selectObject() as the $where variable in the query:

“SELECT * FROM " . $this->prefix . "$table WHERE $where LIMIT 0,1”

Therefore the following request will cause a SQL timeout:

/exponent/cron/send_reminders.php?src=src%3d11”%3b}‘%20or%201%3d1%20AND%20SLEEP(5)%20%3b%20—%20”