Details of duo of flaws in management portal made public weeks after fix

Blocked accounts abused in Evolution CMS SQL injection attacks

A severe unauthenticated SQL injection vulnerability has been patched by developers of the Evolution CMS.

Evolution is a PHP-based, open source content management system (CMS) used to manage the backend of websites.

On February 8, cybersecurity firm Synactiv publicly revealed the existence of two security flaws in the CMS and how a “blocked account” can be exploited to perform an “unauthenticated SQLi in Evolution CMS using the X-Forwarded-For header”.

Written by Synacktiv’s Nicolas Biscos and Thomas Etrillard, the security advisory (PDF) details an unauthenticated SQL injection vulnerability on the Evolution manager login page.

Read more of the latest infosec research from around the world

This security flaw was caused by how the application processes SQL queries. If a user was to send crafted data, the query could be modified before landing in an Evolution database.

As the CMS logs actions in the manager interface and inserts data into a database, the IP field is not scrubbed properly, and so the X-Forwarded-For header can be tampered with.

When an account in the manager interface is blocked, a particular function is called upon which can be exploited by an attacker without authentication to extract SQL database records.

A threat actor could also choose to trigger an account block, if they so choose, by issuing invalid login attempts.

Time-based user enumeration

The second bug found by Synactiv also stemmed from bugs in the management interface. In order to find out if an account exists, attackers can take advantage of behavioral changes during the authentication phase.

According to the researchers, “you can determine the presence of a user based on the application’s response time,” and if an account does not exist, the “full authentication process” does not take place.

Combining the knowledge of an existing account, and blocking it on purpose, can then be used to trigger the SQL injection flaw.

Synacktiv told The Daily Swig that the time-based enumeration vulnerability is not very common, as “this kind of bug depends on time and on the way the server handles it”.

SECURITY DEEP DIVES Software supply chain attacks – everything you need to know

The security issues have been fixed in Evolution versions 1.4.12, 2.0.4, and in 3.0.

The researchers submitted their findings to Evolution on December 21. The developer responded quickly and issued a fix on the same day.

Synacktiv said that the vendor’s choice to go public with details of the flaw weeks after its discovery was to “give time to people to fix (and time for us to publish).”

Evolution CEO Dmytro Lukianenko thanked the researchers for their findings and has urged all users to update their software.

RELATED WordPress 5.6 lands with new auto-update UI, Site Health enhancements