exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2005-11.59

Hardened-PHP Project Security Advisory 2005-11.59
Posted Jul 22, 2005
Authored by Christopher Kunz, Hardened-PHP Project | Site hardened-php.net

Hardened-PHP Project Security Advisory - Cross site scripting, password hash disclosure, SQL injection, and information disclosure vulnerabilities exist in Contrexx versions below 1.0.5.

tags | exploit, php, vulnerability, xss, sql injection, info disclosure
SHA-256 | 985524575ae9eb12bcd0909c15c66b452b539eef3a58d55153bc284f126f0949

Hardened-PHP Project Security Advisory 2005-11.59

Change Mirror Download
                         Hardened PHP Project
www.hardened-php.net


-= Security Advisory =-


Advisory: Multiple vulnerabilities in Contrexx
Release Date: 2005/07/21
Last Modified: 2005/07/18
Author: Christopher Kunz <christopher.kunz@hardened-php.net>
Application: Contrexx < 1.0.5
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure
Risk: High
Vendor Status: Vendor has released an updated version
References: http://www.hardened-php.net/advisory_112005.59.html
(also includes a GnuPG signature for this advisory)


Overview:

Contrexx is a commercial content management system that has been released as
an open source product lately. It features typical CMS features like content
pages, polls, news, RSS feed aggregation and newsletters, split up in modu-
les.
The search and the blog aggregation module are vulnerable to Cross-Site
Scripting, allowing malicious users to hijack user or admin sessions. Unfil-
tered user input in the poll module allows for MySQL version disclosure, and
might faciliate further SQL injection attacks under MySQL 5 with subselects.
SQL Injection in the gallery module can be used to select arbitrary data,
including a complete list of username/password hash combinations.
A bundled XML file discloses the Contrexx version in use.


Details:

1) SQL injection in poll module
The poll module in Contrexx is made up like any other web-based poll: users
can vote for one of several choices by clicking a radio button and submitt-
ing the poll form. The value of the radio button is an integer value that
is passed to the SQL abstraction layer without any checks or casts:

$query="SELECT voting_system_id from ".DBPREFIX."voting_results WHERE
id=".$_POST["votingoption"]." ";
$db->query($query);

By saving, changing and submitting a modified poll form to the server, an
attacker can get the MySQL server to disclose its version.
On top of that, the results of aforementioned query are fed directly into an
UPDATE statement that thus can be modified by changing the WHERE clause.
This can be used to spike polls and may be used for other injection with
MySQL5's subselects. With magic_quotes_gpc=Off, more evil can be done.
This is faciliated by the ridiculous input filtering that basically checks
for SELECT, UPDATE, AND and OR, but leaves /**/SELECT, UPDATE/**/, &&, ||
untouched.

2) SQL injection in gallery module
The pId parameter in Contrexx's gallery module is passed to the database
layer completely unfiltered:

if(isset($_GET['pId']) && !empty($_GET['pId'])){
$this->showPicture($_GET['pId']);
}
and in method showPicture():
$objDb->query("SELECT id,name,path,linkname,link,size_show
FROM ".DBPREFIX."module_gallery_pictures
WHERE id=".$pictureId);

An attacker can append arbitrary SQL to the pId parameter, including UNION
SELECT. However, since there is some - err - "filtering" going on, keywords
like SELECT, UNION, AND or similar need to be pre- or postfixed with an
empty SQL comment.
Using this injection, it is very easy to obtain a full list of usernames and
password hashes which can then be cracked with a premade MD5 rainbow table.

3) XSS in the search form
Plain and simple XSS, exploitable via GET and POST on the front-end search
form. See below for PoC, it's very straightforward. The input sanitation
functions seem to differ between Contrexx versions - it was possible to
inject script code without any additional characters on the Contrexx web
site (http://www.contrexx.com/).
Contrexx' input filters filter out "<script>", but, for some unknown reason,
do not touch "<scr\ipt>".

4) XSS in blog aggregation module
Blog aggregation is used to create a "blog roll" for daily perusal by admin-
istrators or normal web site users. A malicious person could use their leet
social engineering skills to persuade a Contrexx administrator that their
blog is worth a daily read - prompting said admin to include this blog in
their Contrexx blog aggregation.
Then, the attacker could embed script code in one of their blog entries.
Since no input filtering is done on incoming RSS aggregations, this script
code is displayed in the front-end aggregation module and also in the admin
backend (if the administrator clicks on "preview"). With the resulting XSS
an attacker could steal the admin's cookies and hijack their session.

5) Version information disclosure
In a default installation of Contrexx, a file named "config/version.xml" is
created upon installation. It contains the exact version information for the
Contrexx installation.


Proof of Concept:

1) Modify one of the poll "votingoption" parameters to read like this:
value="1 /*!50030%20s*/"
and submit the form. Repeat until no SQL error is displayed - you have
found the MySQL version running on the server.
More SQL injection:
value="123 UNION/**/ SELECT/**/ '1 OR 1=1'"

2) /index.php?section=gallery&cmd=showCat&cid=41&pId=1%20/**/UNION/**/%20
/**/SELECT/**/%201,1,CONCAT(username,'-',password),1,1,1%20/**/FROM%20
contrexx_access_users

3) /index.php?section=search&term=%22%3E%3Cscr\ipt%3Ealert(%22xss%22)
%3C/sc\ript%3E

4) Create a blog entry with the title <script>alert('xss')</script>. Have
this blog aggregated by Contrexx. Stir. Enjoy.

5) See /config/version.xml in your Contrexx installation.


Disclosure Timeline:

08. July 2005 - Vendor informed.
10. July 2005 - One more bug disclosed to vendor, including PoC.
19. July 2005 - Vendor has released updated version.
22. July 2005 - Public disclosure.


Recommendation:

We strongly recommend installing the updated version, 1.0.5, which is avail-
able from the vendor's homepage, www.contrexx.com.


Plug:

You can discuss this and other vulnerabilities in our forum at
http://forum.hardened-php.net/ - an up-to-date list of advisories can be
found at http://www.hardened-php.net/.


GPG-Key:

http://www.hardened-php.net/hardened-php-signature-key.asc

pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1


Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.

Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    25 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close