Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Sun, 22 Feb 2015 16:01:03 -0500 (EST)
Subject: Re: CVE-Request -- phpBugTracker v. 1.6.0 -- Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities

Hash: SHA1

> I found multiple SQLI-, stored/reflecting XSS- and CSRF-vulnerabilities in
> Issuetracker phpBugTracker v. 1.6.0.

Can you clarify how the example attack URLs interact with this
product's approach to access control? As far as we can tell,
established a model for access control in which there is both a
superadmin role and an admin role. We think the situation is:

1. You mean that all of your http://{TARGET}/admin/ example URLs are
accessed within the context of a session with the correct/expected
authentication. In some cases, $perm->check('Admin') must succeed, and
in other cases (e.g., project.php), the $perm->check('Admin') test is
not used. In other words, you are not reporting any discoveries in
which an attacker is directly bypassing access control.

2. In some cases, stored XSS is relevant only in the context of a CSRF
attack, because otherwise a superadmin would need to enter the XSS
string intentionally. In other cases, stored XSS is independently
relevant because it could be used for privilege escalation from admin
to superadmin.

3. A SQL injection attack could be relevant even if CSRF is not used.
In other words, someone with admin (or even superadmin) privileges
does not necessarily have the inherent ability to execute arbitrary
SQL statements.

4. Some of the vendor's commits have fixed attack vectors that you did
not report (in addition to attack vectors that you did report). For
  + case 'del' :
  +     if (check_action_key_die()) {
  +         del_group(get_get_int('group_id'));

5. Most of the issues were fixed in 1.7.0; however, there were
additional XSS fixes in 1.7.2.

If so, then there would probably be seven CVE IDs in total (six for
the 1.7.0 fixes: for multiple CSRF discovered by you, multiple CSRF
discovered by the vendor, multiple XSS discovered by you, multiple XSS
discovered by the vendor, multiple SQL injection discovered by you,
and multiple SQL injection discovered by the vendor; and one for the
1.7.2 fixes).

- -- 
CVE assignment team, MITRE CVE Numbering Authority
M/S M300
202 Burlington Road, Bedford, MA 01730 USA
[ PGP key available through ]
Version: GnuPG v1.4.14 (SunOS)


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.