lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 20 May 2010 10:45:30 -0400
From: S├ębastien Duquette
Subject: GVI 2010-02 Multiple vulnerabilities in Open-AudIT

GVI-2010-02 : Multiple vulnerabilities in Open-AudIT

1 Overview

Excerpt from :
"Open-AudIT is an application to tell you exactly what is on your
network, how
it is configured and when it changes. Open-AudIT will run on Windows and
systems. Essentially, Open-AudIT is a database of information, that can be
queried via a web interface."

2 Description

Multiple security issues were discovered which can be categorized as :

    - Lack of Authentication
    - SQL Injection
    - Cross-Site Scripting
    - Local File Include

3 Details

Product            : Open-AudiT
Versions           : 20081013, 20091223-RC
Vulnerability Type : authentication, SQLi, XSS, LFI
Discovered by      : S├ębastien Duquette (

Original Advisory :

4 Timeline

Patches were sent to the vendor. The vendor said that they are focussing on
version 2 of the product. Patches are not applied at disclosure date.

Vendor informed       : December 12th, 2009
Vendor Response       : December 13th, 2009
Update request        : January  14th, 2010
Vendor response       : January  14th, 2010
Update request        : February 19th, 2010
Vendor response       : February 21th, 2010
Patches sent          :    March 29th, 2010
Public Disclosure     :      May 20th, 2010

5 Analysis

5.1 Lack of Authentication

When the "Use Passwords" option is activated, Open-AudIT requires a user and
password to be provided to access the web administrative interface. However,
several scripts will not properly verify authentication before accepting

This allows an attacker to add or remove information in the database
the audited systems, obtain or modify system configurations like SMTP or
server addresses etc.

Also, the "backup" folder has user access rights by default, allowing
anyone to
grab any backup contained in the folder.

Please note that this problem is not fixed by the patch provided with this
advisory. To perform the inventorying on machines, Open-AudIT uses
vbscript on
Windows and bash scripts Linux and sends the data back via HTTP POST
The scripts currently do not support HTTP authentication.

| Affected scripts             |
| upgrade.php                  |
| admin_config_data.php        |
| delete_system.php            |
| admin_delete_all_systems.php |
| admin_nmap_input.php         |
| admin_pc_add_2.php           |
| delete_other.php             |
| delete_missed_audit.php      |
| ldap_audit_script.php        |
| ldap_login.php               |
| ldap_logout.php              |
| list.php                     |
| list_export.php              |
| system_post.php              |
| system_export.php            |
| php.php                      |

5.1.1 Proof of concept

Obtain the address of the LDAP server

Delete a system by it's ID

5.2 SQL Injection

Most SQL queries in the application do not sanitize the parameters. As an
example, here is an excerpt from the system_post.php file :

$sql  = "UPDATE other SET other_network_name = '" .
        $_REQUEST['other_network_name'] . "',";

Please refer to the provided patch for the complete list of affected

5.2.1 Proof of concept

This request will output the name of the mysql user and current database

This request will return a text file with the list of all audited systems

5.3 Cross-Site Scripting

Some instances of Cross-Site scripting were found in Open-AudIT. Below is a
table summarizing the affected variables.

| Script           |  Variable |
| include_lang.php |  language |
| list.php         |  view     |

5.3.1 Proof of concept


5.4 Local File Include

The include_lang.php script is vulnerable to local file include. Let's
take a
look at the code :

    if(!isset($language) or $language=="") $GLOBALS["language"]="en";

If  we can somehow manage to modify the language value, a local file include
would be possible by using a directory traversal. It so happens that the
setup.php script is not disabled or deleted once the installation is
and allows an unauthenticated user to modify the language value. See the
of concept below.

5.4.1 Proof of concept

Create a file named /tmp/test containing some php code. Send a POST
request to
setup.php with the following parameters :

    - language = %2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2ftest
    - step = 2

The script will then be included on pretty much every page.

The flaws disclosed in this advisory are unpatched at the day of the
We provide a patch against the latest version of the software. Please
note that
this patch was not extensively tested and does not fix all the issues.
It is
provided solely as a reference.

View attachment "open-audit.patch" of type "text/plain" (19934 bytes)

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists