CVE-2016-10007
Description
SQL injection vulnerability in the "Marketing > Forms" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_FORM_HANDLER_orderBy parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in dotCMS Marketing Forms via orderBy parameter allows authenticated admins to execute arbitrary SQL commands.
Vulnerability
SQL injection vulnerability in dotCMS's "Marketing > Forms" screen. The _EXT_FORM_HANDLER_orderBy parameter is not properly sanitized. In version 3.7, a whitelist-based sanitization was introduced but can be bypassed. Affected versions: dotCMS before 3.7.2 and 4.x before 4.1.1. [1]
Exploitation
An authenticated administrator with access to the Marketing Forms screen can craft a malicious _EXT_FORM_HANDLER_orderBy parameter. The sanitization function sanitizeSortBy checks against a whitelist of allowed values, but the check can be bypassed by using a value that is not in the whitelist but still contains SQL injection payloads. The reference demonstrates that the blacklist approach is insufficient. [1]
Impact
Successful exploitation allows the attacker to execute arbitrary SQL commands on the database, leading to data exfiltration, modification, or deletion. The attacker gains full database access with the privileges of the database user used by the application. [1]
Mitigation
Upgrade to dotCMS version 3.7.2 or 4.1.1, which contain the fix. No workaround is provided. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog. [1]
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
280ee26851078add build name and changes for zero byte files
2 files changed · +25 −13
src/com/liferay/portal/util/build.properties+5 −5 modified@@ -1,9 +1,9 @@ -#Tue, 07 Feb 2017 06:06:34 -0600 +#Fri, 29 Sep 2017 14:50:22 -0600 dotcms.release.name=dotCMS Platform -dotcms.release.version=3.7.1 -dotcms.release.codename=TRex -dotcms.release.build=57dc8a6 -dotcms.release.date=Feb 07, 2017 +dotcms.release.version=3.7.2 +dotcms.release.codename=Aoshima +dotcms.release.build=e181f40 +dotcms.release.date=Sep 29, 2017 tomcat.install.branch=8.0.18-master-3.5 tomcat.install.version=8.0.18
src/com/liferay/util/FileUtil.java+20 −8 modified@@ -47,6 +47,7 @@ import java.nio.channels.FileChannel; import java.nio.channels.ReadableByteChannel; import java.nio.channels.WritableByteChannel; +import java.nio.file.FileAlreadyExistsException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -159,6 +160,10 @@ public static void copyFile(File source, File destination, boolean hardLinks) th if (!source.exists()) { throw new IOException("Source file does not exist" + source); } + + if(source.getAbsolutePath().equalsIgnoreCase(destination.getAbsolutePath())) { + return; + } validateEmptyFile(source); @@ -190,16 +195,23 @@ public static void copyFile(File source, File destination, boolean hardLinks) th // setting this means we will try again if we cannot hard link if (!destination.exists() || destination.length() == 0) { hardLinks = false; - Logger.warn(FileUtil.class, "Can't create hardLink. source: " + source.getAbsolutePath() - + ", destination: " + destination.getAbsolutePath()); + StringBuilder sb = new StringBuilder(); + sb.append("Can't create hardLink. source: " + source.getAbsolutePath()); + sb.append(", destination: " + destination.getAbsolutePath()); + Logger.warn(FileUtil.class, sb.toString()); } - } catch (IOException e) { - + } catch (FileAlreadyExistsException e1) { + StringBuilder sb = new StringBuilder(); + sb.append("Source File: " + source.getAbsolutePath()); + sb.append("already exists on the destination: " + destination.getAbsolutePath()); + Logger.debug(FileUtil.class, sb.toString()); + } catch (IOException e2 ){ hardLinks = false; // setting to false will execute the fallback - Logger.debug(FileUtil.class, - "Could not created the hard link, will try copy for source: " + source + - ", destination: " + destination + ". Error message: " + e.getMessage()); - } + StringBuilder sb = new StringBuilder(); + sb.append("Could not created the hard link, will try copy for source: " + source); + sb.append(", destination: " + destination + ". Error message: " + e2.getMessage()); + Logger.debug(FileUtil.class, sb.toString()); + } } if (!hardLinks) {
1 file changed · +1 −1
dotCMS/src/main/enterprise+1 −1 modified@@ -1 +1 @@ -Subproject commit 0de519d7ec3aefd721d34b19a78c592ab30fbe15 +Subproject commit d6639e147bb71ea044feb983600dfff6e58283cf
Vulnerability mechanics
Root cause
"Missing input validation in `InodeFactory.getInodesOfClassByConditionAndOrderBy` allows the `direction` parameter to be concatenated directly into the SQL query after insufficient sanitization."
Attack vector
An authenticated administrator triggers the SQL injection by visiting the "Marketing > Forms" screen and clicking a column header in the results table, which generates a request containing the `_EXT_FORM_HANDLER_orderBy` parameter [ref_id=1]. The attacker crafts a value such as `case when 1=1 then name else description end` to perform boolean-based blind SQL injection, observing the ordering of results to infer information [ref_id=1]. The preconditions are that the attacker must be authenticated and authorized as an administrator [ref_id=1]. The vulnerable parameter is concatenated into the SQL query without proper validation, allowing arbitrary SQL commands to be executed [ref_id=1].
Affected code
The vulnerability resides in the `InodeFactory.java` file, specifically in the `getInodesOfClassByConditionAndOrderBy` method. The `direction` parameter is sanitized with `SQLUtil.sanitizeParameter` but is then concatenated directly into the SQL query without proper validation, allowing arbitrary SQL to be injected [ref_id=1]. The `CategoryFactoryImpl.java` file also shows a secondary pattern where double-sanitization of the `filter` parameter breaks escaping [ref_id=1].
What the fix does
The provided patches [patch_id=2247197] and [patch_id=2247198] update version metadata and subproject dependencies but do not contain a fix for the SQL injection vulnerability described in the advisory. The advisory notes that the fix was released in dotCMS versions 3.7.2 and 4.1.1, but no patch diff addressing the `InodeFactory.java` or `CategoryFactoryImpl.java` code is included in this bundle [ref_id=1]. Without the actual security patch, the remediation guidance is to upgrade to dotCMS 3.7.2 or 4.1.1 [ref_id=1].
Preconditions
- authAttacker must be authenticated and authorized as an administrator
- networkAttacker must have access to the Marketing > Forms screen in the admin UI
Reproduction
Visit the "Marketing > Forms" screen in the admin UI and click on a column title in the results table to generate a request with the `_EXT_FORM_HANDLER_orderBy` parameter. Use a URL such as: `/c/portal/layout?p_l_id=89594b95-1354-4a63-8867-c922880107df&p_p_id=EXT_FORM_HANDLER&p_p_action=1&p_p_state=maximized&p_p_mode=view&_EXT_FORM_HANDLER_struts_action=%2Fext%2Fformhandler%2Fview_form&_EXT_FORM_HANDLER_orderBy=SQLi&_EXT_FORM_HANDLER_direction=asc` [ref_id=1]. For boolean-based injection, use `_EXT_FORM_HANDLER_orderBy=case when 1=1 then name else description end` (true condition orders by name) and `_EXT_FORM_HANDLER_orderBy=case when 1=0 then name else description end` (false condition orders by description) [ref_id=1].
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.