BugTracker.Net 3.4.4 Multiple Vulnerabilities

2010-12-02T00:00:00
ID 1337DAY-ID-15019
Type zdt
Reporter Core Security
Modified 2010-12-02T00:00:00

Description

Exploit for asp platform in category web applications

                                        
                                            =============================================
BugTracker.Net 3.4.4 Multiple Vulnerabilities
=============================================

1. *Advisory Information*
 
Title: Multiple vulnerabilities in BugTracker.Net
Advisory Id: CORE-2010-1109
Advisory URL:
[http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker]
Date published: 2010-11-30
Date of last update: 2010-11-30
Vendors contacted: BugTracker.NET team
Release mode: Coordinated release
 
 
2. *Vulnerability Information*
 
Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3266, CVE-2010-3267
Bugtraq ID: N/A
 
 
3. *Vulnerability Description*
 
BugTracker.NET [1][2] is an open-source web-based bug tracker written
using ASP.NET, C#, and Microsoft SQL Server. Several cross-site
scripting and SQL-injection vulnerabilities were found in the following
files of the BugTracker.NET:
 
   . *bugs.aspx*. SQL injection in line 141.
   . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.
   . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.
   . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.
   . *edit_bug.aspx*. XSS in line 2918.
   . *edit_comment.aspx*. XSS in line 233.
   . *edit_customfield.aspx*. Lines 165 and 172, no sanitization.
   . *edit_user_permissions2.aspx*. XSS in line 40.
   . *massedit.aspx*. SQL Injection in line 162.
 
 
4. *Vulnerable packages*
 
   . BugTracker.NET v3.4.4.
   . Older versions are probably affected too, but they were not checked.
 
 
5. *Non-vulnerable packages*
 
   . BugTracker.NET v3.4.5.
 
 
6. *Credits*
 
This vulnerability was discovered and researched by Damián Saura
[http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura]
and Alejandro Frydman from Core Security Technologies.
 
 
7. *Technical Description / Proof of Concept Code*
 
7.1. *XSS Vulnerabilities*
 
[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in
similar ways. The following proof of concept shows how to exploit the
XSS founded in 'edit_comment.aspx':
 
/-----
...  
230 <div class=align>
231 <table border=0><tr><td>
232
233 <a href=edit_bug.aspx?id=<%
Response.Write(Request["bug_id"]);%>>back to <%
Response.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %></a>
234 <form class=frm runat="server">
235
236    <table border=0>
...
-----/
 First, login to BugTracker and create a comment in a previously created
bug. Then, edit it using this URL:
 
/-----
http://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E
-----/
 As a result, the JavaScript code injected into the parameter 'bug_id'
will be rendered without sanitization in the line 233, and executed in
the context of the client's web browser.
 
 
7.2. *SQL Injection Vulnerabilities*
 
[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be
exploited in similar ways. Consider, for example, the code located in
'delete_query.aspx':
 
/-----
...
26 if (IsPostBack)
27 {
28     // do delete here
29     sql = @"delete queries where qu_id = $1";
30     sql = sql.Replace("$1", row_id.Value);
31     btnet.DbUtil.execute_nonquery(sql);
32     Server.Transfer ("queries.aspx");
33 }
...
-----/
 In line 30, the value of 'row_id' is injected without sanitization into
the SQL query. This value arrives to the server in a hidden field of a
client request. As a result, a malicious user can manipulate this value
in order to execute code in the database layer of the application.
 
 
8. *Report Timeline*
 
. 2010-11-29:
Core Security Technologies notifies the BugTracker team of the
vulnerability, setting the estimated publication date of the advisory to
December 20th 2010.
 
. 2010-11-29:
The BugTracker team asks Core for a technical description of the
vulnerability.
 
. 2010-11-29:
Technical details sent to BugTracker team.
 
. 2010-11-29:
The BugTracker team acknowledges the report and notifies they will fix
all issues in 1 or 2 working days.
 
. 2010-11-30:
The BugTracker team notifies that a patched version is publicly
available at Sourceforge and Codeplex.
 
. 2010-11-30:
The advisory CORE-2010-1109 is published.
 
 
9. *References*
 
[1] BugTracker.NET official website:
[http://ifdefined.com/bugtrackernet.html].
[2] BugTracker.NET Source Forge project:
[http://sourceforge.net/projects/btnet/].



#  0day.today [2018-04-14]  #