BugTracker.Net 3.4.4 Multiple Vulnerabilities

ID 1337DAY-ID-15019
Type zdt
Reporter Core Security
Modified 2010-12-02T00:00:00


Exploit for asp platform in category web applications

BugTracker.Net 3.4.4 Multiple Vulnerabilities

1. *Advisory Information*
Title: Multiple vulnerabilities in BugTracker.Net
Advisory Id: CORE-2010-1109
Advisory URL:
Date published: 2010-11-30
Date of last update: 2010-11-30
Vendors contacted: BugTracker.NET team
Release mode: Coordinated release
2. *Vulnerability Information*
Class: Cross site scripting [CWE-79], SQL injection [CWE-89]
Impact: Code execution
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2010-3266, CVE-2010-3267
Bugtraq ID: N/A
3. *Vulnerability Description*
BugTracker.NET [1][2] is an open-source web-based bug tracker written
using ASP.NET, C#, and Microsoft SQL Server. Several cross-site
scripting and SQL-injection vulnerabilities were found in the following
files of the BugTracker.NET:
   . *bugs.aspx*. SQL injection in line 141.
   . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.
   . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857.
   . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214.
   . *edit_bug.aspx*. XSS in line 2918.
   . *edit_comment.aspx*. XSS in line 233.
   . *edit_customfield.aspx*. Lines 165 and 172, no sanitization.
   . *edit_user_permissions2.aspx*. XSS in line 40.
   . *massedit.aspx*. SQL Injection in line 162.
4. *Vulnerable packages*
   . BugTracker.NET v3.4.4.
   . Older versions are probably affected too, but they were not checked.
5. *Non-vulnerable packages*
   . BugTracker.NET v3.4.5.
6. *Credits*
This vulnerability was discovered and researched by Damián Saura
and Alejandro Frydman from Core Security Technologies.
7. *Technical Description / Proof of Concept Code*
7.1. *XSS Vulnerabilities*
[CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in
similar ways. The following proof of concept shows how to exploit the
XSS founded in 'edit_comment.aspx':
230 <div class=align>
231 <table border=0><tr><td>
233 <a href=edit_bug.aspx?id=<%
Response.Write(Request["bug_id"]);%>>back to <%
Response.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %></a>
234 <form class=frm runat="server">
236    <table border=0>
 First, login to BugTracker and create a comment in a previously created
bug. Then, edit it using this URL:
 As a result, the JavaScript code injected into the parameter 'bug_id'
will be rendered without sanitization in the line 233, and executed in
the context of the client's web browser.
7.2. *SQL Injection Vulnerabilities*
[CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be
exploited in similar ways. Consider, for example, the code located in
26 if (IsPostBack)
27 {
28     // do delete here
29     sql = @"delete queries where qu_id = $1";
30     sql = sql.Replace("$1", row_id.Value);
31     btnet.DbUtil.execute_nonquery(sql);
32     Server.Transfer ("queries.aspx");
33 }
 In line 30, the value of 'row_id' is injected without sanitization into
the SQL query. This value arrives to the server in a hidden field of a
client request. As a result, a malicious user can manipulate this value
in order to execute code in the database layer of the application.
8. *Report Timeline*
. 2010-11-29:
Core Security Technologies notifies the BugTracker team of the
vulnerability, setting the estimated publication date of the advisory to
December 20th 2010.
. 2010-11-29:
The BugTracker team asks Core for a technical description of the
. 2010-11-29:
Technical details sent to BugTracker team.
. 2010-11-29:
The BugTracker team acknowledges the report and notifies they will fix
all issues in 1 or 2 working days.
. 2010-11-30:
The BugTracker team notifies that a patched version is publicly
available at Sourceforge and Codeplex.
. 2010-11-30:
The advisory CORE-2010-1109 is published.
9. *References*
[1] BugTracker.NET official website:
[2] BugTracker.NET Source Forge project:

#  0day.today [2016-04-20]  #