[UNIX] Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting

From: SecuriTeam (support_at_securiteam.com)
Date: 07/25/05

  • Next message: SecuriTeam: "[UNIX] Lantronix SecureLinx Console Server Information Disclosure"
    To: list@securiteam.com
    Date: 25 Jul 2005 18:28:56 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.contrexx.com/> Contrexx is "a commercial content management
    system that has been released as an open source product lately. It
    features typical CMS features like content pages, polls, news, RSS feed
    aggregation and newsletters, split up in modules".

    Multiple vulnerabilities discovered in Contrexx CMS, exploiting these
    allows malicious attacker to endanger the system's integrity, to retrieve
    sensitive credential information and to commit cross site scripting
    attacks.

    DETAILS

    Vulnerable Systems:
     * Contrexx version prior to 1.0.5

    Immune Systems:
     * Contrexx version 1.0.5

    The search and the blog aggregation module are vulnerable to Cross-Site
    Scripting, allowing malicious users to hijack user or admin sessions.
    Unfiltered user input in the poll module allows for MySQL version
    disclosure, and might facilitate further SQL injection attacks under MySQL
    5 with subselects. SQL Injection in the gallery module can be used to
    select arbitrary data, including a complete list of username/password hash
    combinations. A bundled XML file discloses the Contrexx version in use.

    SQL injection in poll module:
    The poll module in Contrexx is made up like any other web-based poll:
    users can vote for one of several choices by clicking a radio button and
    submitting the poll form. The value of the radio button is an integer
    value that is passed to the SQL abstraction layer without any checks or
    casts:
    $query="SELECT voting_system_id from ".DBPREFIX."voting_results WHERE
    id=".$_POST["votingoption"]." ";
    $db->query($query);

    By saving, changing and submitting a modified poll form to the server, an
    attacker can get the MySQL server to disclose its version. On top of that,
    the results of aforementioned query are fed directly into an UPDATE
    statement that thus can be modified by changing the WHERE clause This can
    be used to spike polls and may be used for other injection with MySQL5's
    subselects. With magic_quotes_gpc=Off, more evil can be done.
    This is facilitated by the ridiculous input filtering that basically
    checks for SELECT, UPDATE, AND and OR, but leaves /**/SELECT, UPDATE/**/,
    &&, || untouched.

    SQL injection in gallery module:
    The pId parameter in Contrexx's gallery module is passed to the database
    layer completely unfiltered:
    if(isset($_GET['pId']) && !empty($_GET['pId'])){
      $this->showPicture($_GET['pId']);
    }
    and in method showPicture():
    $objDb->query("SELECT id,name,path,linkname,link,size_show
                     FROM ".DBPREFIX."module_gallery_pictures
                     WHERE id=".$pictureId);

    An attacker can append arbitrary SQL to the pId parameter, including UNION
    SELECT. However, since there is some - err - "filtering" going on,
    keywords like SELECT, UNION, AND or similar need to be pre- or postfixed
    with an empty SQL comment. Using this injection, it is very easy to obtain
    a full list of usernames and password hashes which can then be cracked
    with a premade MD5 rainbow table.

    Cross Site Scripting in the search form:
    Plain and simple XSS, exploitable via GET and POST on the front-end search
    form. See below for PoC, it's very straightforward. The input sanitation
    functions seem to differ between Contrexx versions - it was possible to
    inject script code without any additional characters on the Contrexx web
    site (http://www.contrexx.com/).
    Contrexx' input filters filter out "<script>", but, for some unknown
    reason, do not touch "<scr\ipt>".

    Cross Site Scripting in blog aggregation module:
    Blog aggregation is used to create a "blog roll" for daily perusal by
    administrators or normal web site users. A malicious person could use
    their leet social engineering skills to persuade a Contrexx administrator
    that their blog is worth a daily read - prompting said admin to include
    this blog in their Contrexx blog aggregation. Then, the attacker could
    embed script code in one of their blog entries. Since no input filtering
    is done on incoming RSS aggregations, this script code is displayed in the
    front-end aggregation module and also in the admin backend (if the
    administrator clicks on "preview"). With the resulting XSS an attacker
    could steal the admin's cookies and hijack their session.

    Version disclosure:
    In a default installation of Contrexx, a file named "config/version.xml"
    is created upon installation. It contains the exact version information
    for the Contrexx installation.

    Proof of Concept:
    1) Modify one of the poll "votingoption" parameters to read like this:
    value="1 /*!50030%20s*/" and submit the form. Repeat until no SQL error is
    displayed - you have found the MySQL version running on the server. More
    SQL injection: value="123 UNION/**/ SELECT/**/ '1 OR 1=1'"
    2) /index.php?section=gallery&cmd=showCat
    &cid=41&pId=1%20/**/UNION/**/%20/**/
    SELECT/**/%201,1,CONCAT(username,'-',password),1,1,1%20/**/FROM%20
    contrexx_access_users
    3) /index.php?section=search
    &term=%22%3E%3Cscr\ipt%3Ealert(%22xss%22)%3C/sc\ript%3E
    4) Create a blog entry with the title <script>alert('xss')</script>. Have
    this blog aggregated by Contrexx. Stir. Enjoy.
    5) See /config/version.xml in your Contrexx installation.

    Disclosure Timeline:
     * 08.07.05 - Vendor informed
     * 10.07.05 - One more bug disclosed to vendor, including PoC
     * 19.07.05 - Vendor has released updated version
     * 22.07.05 - Public disclosure

    Vendor Status:
    Vendor has released updated version - 1.0.5, which is available from the
    vendor's homepage, <www.contrexx.com> www.contrexx.com.

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:christopher.kunz@hardened-php.net> Christopher Kunz.
    The original article can be found at:
    <http://www.hardened-php.net/advisory_112005.59.html>
    http://www.hardened-php.net/advisory_112005.59.html

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[UNIX] Lantronix SecureLinx Console Server Information Disclosure"