Monday, July 25, 2005

[UNIX] Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -

Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting
------------------------------------------------------------------------

SUMMARY

<http://www.contrexx.com/> Contrexx is "a commercial content management
system that has been released as an open source product lately. It
features typical CMS features like content pages, polls, news, RSS feed
aggregation and newsletters, split up in modules".

Multiple vulnerabilities discovered in Contrexx CMS, exploiting these
allows malicious attacker to endanger the system's integrity, to retrieve
sensitive credential information and to commit cross site scripting
attacks.

DETAILS

Vulnerable Systems:
* Contrexx version prior to 1.0.5

Immune Systems:
* Contrexx version 1.0.5

The search and the blog aggregation module are vulnerable to Cross-Site
Scripting, allowing malicious users to hijack user or admin sessions.
Unfiltered user input in the poll module allows for MySQL version
disclosure, and might facilitate further SQL injection attacks under MySQL
5 with subselects. SQL Injection in the gallery module can be used to
select arbitrary data, including a complete list of username/password hash
combinations. A bundled XML file discloses the Contrexx version in use.

SQL injection in poll module:
The poll module in Contrexx is made up like any other web-based poll:
users can vote for one of several choices by clicking a radio button and
submitting the poll form. The value of the radio button is an integer
value that is passed to the SQL abstraction layer without any checks or
casts:
$query="SELECT voting_system_id from ".DBPREFIX."voting_results WHERE
id=".$_POST["votingoption"]." ";
$db->query($query);

By saving, changing and submitting a modified poll form to the server, an
attacker can get the MySQL server to disclose its version. On top of that,
the results of aforementioned query are fed directly into an UPDATE
statement that thus can be modified by changing the WHERE clause This can
be used to spike polls and may be used for other injection with MySQL5's
subselects. With magic_quotes_gpc=Off, more evil can be done.
This is facilitated by the ridiculous input filtering that basically
checks for SELECT, UPDATE, AND and OR, but leaves /**/SELECT, UPDATE/**/,
&&, || untouched.

SQL injection in gallery module:
The pId parameter in Contrexx's gallery module is passed to the database
layer completely unfiltered:
if(isset($_GET['pId']) && !empty($_GET['pId'])){
$this->showPicture($_GET['pId']);
}
and in method showPicture():
$objDb->query("SELECT id,name,path,linkname,link,size_show
FROM ".DBPREFIX."module_gallery_pictures
WHERE id=".$pictureId);

An attacker can append arbitrary SQL to the pId parameter, including UNION
SELECT. However, since there is some - err - "filtering" going on,
keywords like SELECT, UNION, AND or similar need to be pre- or postfixed
with an empty SQL comment. Using this injection, it is very easy to obtain
a full list of usernames and password hashes which can then be cracked
with a premade MD5 rainbow table.

Cross Site Scripting in the search form:
Plain and simple XSS, exploitable via GET and POST on the front-end search
form. See below for PoC, it's very straightforward. The input sanitation
functions seem to differ between Contrexx versions - it was possible to
inject script code without any additional characters on the Contrexx web
site (http://www.contrexx.com/).
Contrexx' input filters filter out "<script>", but, for some unknown
reason, do not touch "<scr\ipt>".

Cross Site Scripting in blog aggregation module:
Blog aggregation is used to create a "blog roll" for daily perusal by
administrators or normal web site users. A malicious person could use
their leet social engineering skills to persuade a Contrexx administrator
that their blog is worth a daily read - prompting said admin to include
this blog in their Contrexx blog aggregation. Then, the attacker could
embed script code in one of their blog entries. Since no input filtering
is done on incoming RSS aggregations, this script code is displayed in the
front-end aggregation module and also in the admin backend (if the
administrator clicks on "preview"). With the resulting XSS an attacker
could steal the admin's cookies and hijack their session.

Version disclosure:
In a default installation of Contrexx, a file named "config/version.xml"
is created upon installation. It contains the exact version information
for the Contrexx installation.

Proof of Concept:
1) Modify one of the poll "votingoption" parameters to read like this:
value="1 /*!50030%20s*/" and submit the form. Repeat until no SQL error is
displayed - you have found the MySQL version running on the server. More
SQL injection: value="123 UNION/**/ SELECT/**/ '1 OR 1=1'"
2) /index.php?section=gallery&cmd=showCat
&cid=41&pId=1%20/**/UNION/**/%20/**/
SELECT/**/%201,1,CONCAT(username,'-',password),1,1,1%20/**/FROM%20
contrexx_access_users
3) /index.php?section=search
&term=%22%3E%3Cscr\ipt%3Ealert(%22xss%22)%3C/sc\ript%3E
4) Create a blog entry with the title <script>alert('xss')</script>. Have
this blog aggregated by Contrexx. Stir. Enjoy.
5) See /config/version.xml in your Contrexx installation.

Disclosure Timeline:
* 08.07.05 - Vendor informed
* 10.07.05 - One more bug disclosed to vendor, including PoC
* 19.07.05 - Vendor has released updated version
* 22.07.05 - Public disclosure

Vendor Status:
Vendor has released updated version - 1.0.5, which is available from the
vendor's homepage, <www.contrexx.com> www.contrexx.com.

ADDITIONAL INFORMATION

The information has been provided by
<mailto:christopher.kunz@hardened-php.net> Christopher Kunz.
The original article can be found at:
<http://www.hardened-php.net/advisory_112005.59.html>
http://www.hardened-php.net/advisory_112005.59.html

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments:

Post a Comment