Full Disclosure mailing list archives
Happy Holidays / Xmas Advisory
From: joernchen <joernchen () phenoelit de>
Date: Tue, 24 Dec 2013 11:26:15 +0100
To whom it may concern: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): Timeline: Aug 27th 2013 Initial email containing the findings listed below including a note that there more vulnerabilities which just need to be verified. (Send to mike () fatfreecrm com and security () fatfreecrm com) Sep 16th 2013 No response so far (not even a bounce of the initial mail), re-send email of Aug. 27th. Dec 20th 2013 Still no response. Dec 24th 2013 Public Disclosure. Hint: Actually the codebase is full of Ruby on Rails worst practices. You might want to use it as a sample "Hack Me" application. --- 1. Known Session Secret In config/initialiers/secret_token.rb a static secret token is defined, with the knowledge of this token an attacker is able to execute arbitrary Ruby code server side. 2. Lack of CSRF Protection In app/controllers/application_controller.rb the protect_from_forgery statement is missing, therefore Fat Free CRM is vulnerable to CSRF attacks. 3. Default to_json for models The users controller renders JSON requests with a full JSON object: For instance when being logged in to the demo app and requesting http://demo.fatfreecrm.com/users/1.json, the response would be { "user": { "admin": true, "aim": "", "alt_email": "", "company": "example", "created_at": "2012-02-12T02:00:00+02:00", "current_login_at": "2013-08-26T22:12:05+03:00", "current_login_ip": "61.143.60.146", "deleted_at": null, "email": "aaron () example com", "first_name": "Aaron", "google": "", "id": 1, "last_login_at": "2013-08-24T22:20:06+03:00", "last_login_ip": "122.173.185.99", "last_name": "Assembler", "last_request_at": "2013-08-26T22:13:35+03:00", "login_count": 481, "mobile": "(800)555-1211", "password_hash": "56d91c9f1a9c549304768982fd4e2d8bc2700b403b4524c0f14136dbbe2ce4cd923156ad69f9acce8305dba4e63faa884e61fb7a256cf8f5fc7c2ce176e68e8f", "password_salt": "ce6e0200c96f4dd326b91f3967115a31421a0e7dcddc9ffb63a77f598a9fcb5326fe532dbd9836a2446e46840d398fa32c81f8f4da1a0fcfe931989e9639a013", "perishable_token": "NE0n6wUCumVNdQ24ahRu", "persistence_token": "d7cdeffd3625f7cb265b21126b85da7c930d47c4a708365c20eb857560055a6b57c9775becb8a957dfdb46df8aee17eb120a011b380e9cc0882f9dfaa2b7ba26", "phone": "(800)555-1210", "single_access_token": "TarXlrOPfaokNOzls2U8", "skype": "ranzitreddy", "suspended_at": null, "title": "VP of Sales", "updated_at": "2013-08-26T22:13:35+03:00", "username": "aaron", "yahoo": "" } } A custom to_json method which sanitizes the output should be created. 4. Multiple SQL Injections In app/controllers/home_controller.rb: def timeline unless params[:type].empty? model = params[:type].camelize.constantize item = model.find(params[:id]) item.update_attribute(:state, params[:state]) else comments, emails = params[:id].split("+") Comment.update_all("state = '#{params[:state]}'", "id IN (#{comments})") unless comments.blank? Email.update_all("state = '#{params[:state]}'", "id IN (#{emails})") unless emails.blank? end render :nothing => true end Here params[:state], comments and emails are attacker controlled values which go directly into SQL statements. Therefore this piece of code exposes a SQL Injection vulnerability. --- Static URL of this text: http://www.phenoelit.org/stuff/ffcrm.txt Happy Holidays, joernchen -- joernchen ~ Phenoelit <joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Happy Holidays / Xmas Advisory joernchen (Dec 24)
- Re: Happy Holidays / Xmas Advisory Henri Salo (Dec 24)
- Re: Happy Holidays / Xmas Advisory PsychoBilly (Dec 26)
- Re: Happy Holidays / Xmas Advisory Brandon Perry (Dec 26)
- Message not available
- Re: Happy Holidays / Xmas Advisory Gage Bystrom (Dec 26)
- Re: Happy Holidays / Xmas Advisory Henri Salo (Dec 27)
- Re: Happy Holidays / Xmas Advisory PsychoBilly (Dec 26)
- Re: Happy Holidays / Xmas Advisory Henri Salo (Dec 24)
- <Possible follow-ups>
- Re: Happy Holidays / Xmas Advisory Matthew Gow (Dec 29)