Search This Blog

Monday, June 11, 2007

[UNIX] JFFNMS Multiple Vulnerabilities

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

JFFNMS Multiple Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Two security vulnerabilities have been discovered in JFFNMS, these
vulnerabilities allow injection of arbitrary SQL by unauthenticated users,
as well as injection of arbitrary HTML and/or Javascript:

1) JFFNMS application has high risk issues with its authentication
mechanism. These can lead to SQL injection allowing authentication bypass
and Javascript injection. There is also a potential backdoor although
this is unlikely to be exploitable.

2) JFFNMS application has default PHP scripts which can lead to
information disclosure as an unauthenticated user.

DETAILS

Vulnerable Systems:
* JFFNMS version 0.8.3

Immune Systems:
* JFFNMS version 0.8.4-pre3 and newer

Technical Details
1) In cases where the web server hosting the PHP interpreter has been
configured with magic_quotes_gpc disabled it is possible to inject both
SQL and Javascript into the auth.php PHP script. This script makes use of
two parameters user and password which are normally populated during the
authentication process. By making a request for the following URL for
example:
http://192.168.1.1/auth.php?user='%20union%20select%202, 'admin',
'$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.', 'Administrator'/*&pass=

It is possible to bypass the authentication mechanism and authenticate as
the admin user.

These parameters are also used in generating an audit trail of access to
the application and in generating the login form, which may allow
modification of existing data held on the web server and Javascript
injection which could allow intruders to execute malicious code on
visitors computers, for example:
http://192.168.1.1/auth.php?user='<html><body><script>alert('xss')</script></body></html>

This Javascript injection point results in the code being executed on
multiple occasions since the tick also causes an SQL error in
the audit trail code which is returned to the visitor prior to the
populated login form.

Potential intruders could use this to execute malicious code on visitors
computers.

Finally, the auth.php PHP script also includes the following code:
if (($jffnms_version=="0.0.0") &&
($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) {

which could be considered a backdoor although it does not appear to be
exploitable in a typical installation.

2) The application also included 2 default PHP scripts which can disclose
information to an unauthenticated user depending on the web sever and
application configuration:

http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php

The setup.php PHP script discloses and indeed allows modification of the
application configuration, whilst the test.php PHP script calls the
phpinfo() function and returns its results.

Both appeared to be accessible in the default installation.

Solutions:
Following vendor notification on the 24th May 2007, the vendor promptly
responded with an initial patch which fixed the most serious case of
authentication bypass. After additional testing by Nth Dimension, further
changes were recommended and the vendor responded with a second patch
which has been attached along with this advisory. Nth Dimension would
recommend applying this patch as soon as possible. Alternatively, nightly
builds from 0.8.4-pre3 (available at http://www.jffnms.org/nightly/)
onwards also include this patch. Nth Dimension would like to thank Javier
and Craig from JFFNMS for the way they worked to resolve the issue.


ADDITIONAL INFORMATION

The information has been provided by <mailto:timb@nth-dimension.org.uk>
Tim Brown.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: