CVE-2016-10008
Description
SQL injection vulnerability in the "Content Types > Content Types" screen in dotCMS before 3.7.2 and 4.x before 4.1.1 allows remote authenticated administrators to execute arbitrary SQL commands via the _EXT_STRUCTURE_direction parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection in dotCMS Content Types screen allows authenticated admins to execute arbitrary SQL via the _EXT_STRUCTURE_direction parameter.
Vulnerability
The dotCMS Content Types screen is vulnerable to SQL injection in versions before 3.7.2 and 4.x before 4.1.1. The _EXT_STRUCTURE_direction parameter is not properly sanitized, allowing an authenticated administrator to inject arbitrary SQL commands. The application uses a blacklist-based sanitization function SQLUtil.sanitizeSortBy() that checks against a set of evil SQL words and a whitelist of allowed sort parameters. However, the _EXT_STRUCTURE_direction parameter bypasses this filter, as it is not included in the whitelist and the blacklist can be circumvented [1].
Exploitation
An attacker must have administrative access to the dotCMS backend. By crafting a malicious value for the _EXT_STRUCTURE_direction parameter in the Content Types screen, the attacker can inject SQL commands. The blacklist defense can be bypassed using techniques such as using alternative SQL syntax or encoding, as detailed in the reference [1]. No user interaction beyond the administrator's own actions is required.
Impact
Successful exploitation allows the attacker to execute arbitrary SQL statements on the underlying database. This can lead to unauthorized reading, modification, or deletion of data, potentially compromising the entire dotCMS instance and its data.
Mitigation
The vulnerability is fixed in dotCMS versions 3.7.2 and 4.1.1. Users should upgrade to these or later versions. No workaround is documented in the available references [1].
AI Insight generated on May 24, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
280ee26851078add build name and changes for zero byte files
2 files changed · +25 −13
src/com/liferay/portal/util/build.properties+5 −5 modified@@ -1,9 +1,9 @@ -#Tue, 07 Feb 2017 06:06:34 -0600 +#Fri, 29 Sep 2017 14:50:22 -0600 dotcms.release.name=dotCMS Platform -dotcms.release.version=3.7.1 -dotcms.release.codename=TRex -dotcms.release.build=57dc8a6 -dotcms.release.date=Feb 07, 2017 +dotcms.release.version=3.7.2 +dotcms.release.codename=Aoshima +dotcms.release.build=e181f40 +dotcms.release.date=Sep 29, 2017 tomcat.install.branch=8.0.18-master-3.5 tomcat.install.version=8.0.18
src/com/liferay/util/FileUtil.java+20 −8 modified@@ -47,6 +47,7 @@ import java.nio.channels.FileChannel; import java.nio.channels.ReadableByteChannel; import java.nio.channels.WritableByteChannel; +import java.nio.file.FileAlreadyExistsException; import java.nio.file.Files; import java.nio.file.Path; import java.nio.file.Paths; @@ -159,6 +160,10 @@ public static void copyFile(File source, File destination, boolean hardLinks) th if (!source.exists()) { throw new IOException("Source file does not exist" + source); } + + if(source.getAbsolutePath().equalsIgnoreCase(destination.getAbsolutePath())) { + return; + } validateEmptyFile(source); @@ -190,16 +195,23 @@ public static void copyFile(File source, File destination, boolean hardLinks) th // setting this means we will try again if we cannot hard link if (!destination.exists() || destination.length() == 0) { hardLinks = false; - Logger.warn(FileUtil.class, "Can't create hardLink. source: " + source.getAbsolutePath() - + ", destination: " + destination.getAbsolutePath()); + StringBuilder sb = new StringBuilder(); + sb.append("Can't create hardLink. source: " + source.getAbsolutePath()); + sb.append(", destination: " + destination.getAbsolutePath()); + Logger.warn(FileUtil.class, sb.toString()); } - } catch (IOException e) { - + } catch (FileAlreadyExistsException e1) { + StringBuilder sb = new StringBuilder(); + sb.append("Source File: " + source.getAbsolutePath()); + sb.append("already exists on the destination: " + destination.getAbsolutePath()); + Logger.debug(FileUtil.class, sb.toString()); + } catch (IOException e2 ){ hardLinks = false; // setting to false will execute the fallback - Logger.debug(FileUtil.class, - "Could not created the hard link, will try copy for source: " + source + - ", destination: " + destination + ". Error message: " + e.getMessage()); - } + StringBuilder sb = new StringBuilder(); + sb.append("Could not created the hard link, will try copy for source: " + source); + sb.append(", destination: " + destination + ". Error message: " + e2.getMessage()); + Logger.debug(FileUtil.class, sb.toString()); + } } if (!hardLinks) {
1 file changed · +1 −1
dotCMS/src/main/enterprise+1 −1 modified@@ -1 +1 @@ -Subproject commit 0de519d7ec3aefd721d34b19a78c592ab30fbe15 +Subproject commit d6639e147bb71ea044feb983600dfff6e58283cf
Vulnerability mechanics
Root cause
"The `_EXT_STRUCTURE_direction` parameter is passed through an ineffective `SQLUtil.sanitizeParameter()` function that fails to restrict input to only "ASC" or "DESC", allowing arbitrary SQL to be injected into the ORDER BY clause."
Attack vector
An attacker must be authenticated and authorized as an administrator in dotCMS [ref_id=1]. The attacker navigates to the "Content Types > Content Types" screen and clicks a column title in the results table, which triggers a request containing the `_EXT_STRUCTURE_direction` parameter. The parameter value is passed through `SQLUtil.sanitizeParameter()`, but that function does not restrict the value to only "ASC" or "DESC" — it allows arbitrary SQL to be injected [ref_id=1]. The injected value is concatenated into the ORDER BY clause of a SQL query, enabling boolean-based blind SQL injection [ref_id=1].
Affected code
The vulnerability exists in the "Content Types > Content Types" screen, where the `_EXT_STRUCTURE_direction` parameter is processed. The researcher's write-up shows that the code calls `SQLUtil.sanitizeParameter(direction)` on the parameter, but this sanitization is ineffective — the parameter is then concatenated directly into a SQL query without proper validation [ref_id=1]. The patches provided (build version bumps and a FileUtil change) do not address this SQL injection, confirming the advisory's statement that the fix was not included in the 3.7.1 release [patch_id=2247199][patch_id=2247200].
What the fix does
The provided patches [patch_id=2247199][patch_id=2247200] only update build version numbers and modify file-copy logic in `FileUtil.java` — they do not address the SQL injection in the `_EXT_STRUCTURE_direction` parameter. The advisory notes that dotCMS considered the issue low priority and did not include a fix in the 3.6.1 release [ref_id=1]. The researcher recommends migrating to dotCMS 4.x (version 4.1.1 or later) where the vulnerability is reportedly fixed, and advises against relying on blacklist-based sanitization [ref_id=1].
Preconditions
- authAttacker must be authenticated and authorized as an administrator in dotCMS
- networkAttacker must have access to the 'Content Types > Content Types' administrative screen
- inputThe _EXT_STRUCTURE_direction parameter must be accepted without proper validation
Generated on May 24, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.