Advisory: Multiple SQLi, stored/reflecting XSS- and CSRF-vulnerabilities in
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
==========================
Vulnerability Description:
==========================
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.
==================
Technical Details:
==================
The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
===========
project.php
===========
SQL injection / underlaying CSRF vulnerability in project.php via id
parameter:
http://
{TARGET}/admin/project.php?op=
Stored XSS via input field "project name":
http://{TARGET}/admin/project.
executed in: e.g. http://{TARGET}/admin/project.
{TARGET}/index.php
========
user.php
========
Reflecting XSS in user.php via use_js parameter:
http://
{TARGET}/admin/user.php?op=
executed in: same page
=========
group.php
=========
Reflecting XSS in group.php via use_js parameter:
http://
{TARGET}/admin/group.php?op=
executed in: same page
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
group_id parameter (used in different operations):
http://
{TARGET}/admin/group.php?op=
http://
{TARGET}/admin/group.php?op=
==========
status.php
==========
SQL injection / underlaying CSRF vulnerability in status.php via status_id
parameter:
http://
{TARGET}/admin/status.php?op=
Stored XSS via input field "Description":
http://{TARGET}/admin/status.
executed in: e.g. http://{TARGET}/admin/status.
CSRF vulnerability in status.php (delete statuses):
<img src="http://{TARGET}/admin/
>
==============
resolution.php
==============
SQL injection / underlaying CSRF vulnerability in resolution.php via
resolution_id parameter:
http://
{TARGET}/admin/resolution.php?
CSRF vulnerability in resolution.php (delete resolutions):
<img src="http://{TARGET}/admin/
>
============
severity.php
============
SQL injection / underlaying CSRF vulnerability in severity.php via
severity_id parameter:
http://
{TARGET}/admin/severity.php?
CSRF vulnerability in severity.php (delete severities):
<img src="http://{TARGET}/admin/
>
Stored XSS in severity.php via input field "Description":
http://{TARGET}/admin/
executed in: e.g. http://{TARGET}/admin/
============
priority.php
============
SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:
http://
{TARGET}/admin/priority.php?
======
os.php
======
SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:
http://
{TARGET}/admin/os.php?op=edit&
CSRF vulnerability in os.php (delete operating systems):
<img src="http://{TARGET}/admin/os.
Stored XSS vulnerability in os.php via input field "Regex":
http://{TARGET}/admin/os.php?
executed in: e.g. http://{TARGET}/admin/os.php?
============
database.php
============
SQL injection / underlaying CSRF vulnerability in database.php via
database_id:
http://
{TARGET}/admin/database.php?
CSRF vulnerability in database.php (delete databases):
<img src="http://{TARGET}/admin/
>
Stored XSS vulnerability in database.php via input field "Name":
http://{TARGET}/admin/
========
site.php
========
CSRF vulnerability in site.php (delete sites):
<img src="http://{TARGET}/admin/
SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:
http://
{TARGET}/admin/site.php?op=
=======
bug.php
=======
This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:
SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:
http://
{TARGET}/bug.php?op=add&
For details see http://cve.mitre.org/cgi-bin/
=========
Solution:
=========
Update to version 1.7.0.
====================
Disclosure Timeline:
====================
03/05-Feb-2015 – found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 – release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/a-v-k/
[2] http://sroesemann.blogspot.de/
[3] https://github.com/a-v-k/
[4] https://github.com/sroesemann/
phpBugTracker v.1.6.0
Advisory ID: SROEADV-2015-16
Author: Steffen Rösemann
Affected Software: phpBugTracker v.1.6.0
Vendor URL: https://github.com/a-v-k/
Vendor Status: patched
CVE-ID: will asked to be assigned after release on FullDisclosure via
OSS-list
Tested on: OS X 10.10 with Firefox 35.0.1 ; Kali Linux 3.18, Iceweasel 31
==========================
Vulnerability Description:
==========================
The Issuetracker phpBugTracker v. 1.6.0 suffers from multiple SQLi-,
stored/reflected XSS- and CSRF-vulnerabilities.
==================
Technical Details:
==================
The following files used in a common phpBugTracker installation suffer from
different SQLi-, stored/reflected XSS- and CSRF-vulnerabilities:
===========
project.php
===========
SQL injection / underlaying CSRF vulnerability in project.php via id
parameter:
http://
{TARGET}/admin/project.php?op=
Stored XSS via input field "project name":
http://{TARGET}/admin/project.
executed in: e.g. http://{TARGET}/admin/project.
{TARGET}/index.php
========
user.php
========
Reflecting XSS in user.php via use_js parameter:
http://
{TARGET}/admin/user.php?op=
executed in: same page
=========
group.php
=========
Reflecting XSS in group.php via use_js parameter:
http://
{TARGET}/admin/group.php?op=
executed in: same page
(Blind) SQL Injection / underlaying CSRF vulnerability in group.php via
group_id parameter (used in different operations):
http://
{TARGET}/admin/group.php?op=
http://
{TARGET}/admin/group.php?op=
==========
status.php
==========
SQL injection / underlaying CSRF vulnerability in status.php via status_id
parameter:
http://
{TARGET}/admin/status.php?op=
Stored XSS via input field "Description":
http://{TARGET}/admin/status.
executed in: e.g. http://{TARGET}/admin/status.
CSRF vulnerability in status.php (delete statuses):
<img src="http://{TARGET}/admin/
>
==============
resolution.php
==============
SQL injection / underlaying CSRF vulnerability in resolution.php via
resolution_id parameter:
http://
{TARGET}/admin/resolution.php?
CSRF vulnerability in resolution.php (delete resolutions):
<img src="http://{TARGET}/admin/
>
============
severity.php
============
SQL injection / underlaying CSRF vulnerability in severity.php via
severity_id parameter:
http://
{TARGET}/admin/severity.php?
CSRF vulnerability in severity.php (delete severities):
<img src="http://{TARGET}/admin/
>
Stored XSS in severity.php via input field "Description":
http://{TARGET}/admin/
executed in: e.g. http://{TARGET}/admin/
============
priority.php
============
SQL injection / underlaying CSRF vulnerability in priority.php via
priority_id parameter:
http://
{TARGET}/admin/priority.php?
======
os.php
======
SQL Injection / underlaying CSRF vulnerability in os.php via os_id
parameter:
http://
{TARGET}/admin/os.php?op=edit&
CSRF vulnerability in os.php (delete operating systems):
<img src="http://{TARGET}/admin/os.
Stored XSS vulnerability in os.php via input field "Regex":
http://{TARGET}/admin/os.php?
executed in: e.g. http://{TARGET}/admin/os.php?
============
database.php
============
SQL injection / underlaying CSRF vulnerability in database.php via
database_id:
http://
{TARGET}/admin/database.php?
CSRF vulnerability in database.php (delete databases):
<img src="http://{TARGET}/admin/
>
Stored XSS vulnerability in database.php via input field "Name":
http://{TARGET}/admin/
========
site.php
========
CSRF vulnerability in site.php (delete sites):
<img src="http://{TARGET}/admin/
SQL injection / underlaying CSRF vulnerability in site.php via site_id
parameter:
http://
{TARGET}/admin/site.php?op=
=======
bug.php
=======
This issue has already been assigned CVE-2004-1519, but seems to have not
been corrected since the assignment:
SQL injection / underlaying CSRF vulnerability in bug.php via project
parameter:
http://
{TARGET}/bug.php?op=add&
For details see http://cve.mitre.org/cgi-bin/
=========
Solution:
=========
Update to version 1.7.0.
====================
Disclosure Timeline:
====================
03/05-Feb-2015 – found the vulnerabilities
05-Feb-2015 - informed the developers (see [3])
05-Feb-2015 – release date of this security advisory [without technical
details]
05-Feb-2015 - forked the Github repository, to keep it available for other
security researchers (see [4])
05/06-Feb-2015 - vendor replied, will provide a patch for the
vulnerabilities
09-Feb-2015 - vendor provided a patch (version 1.7.0, see [3]); technical
details will be released on 19th February 2015
19-Feb-2015 - release date of this security advisory
19-Feb-2015 - send to FullDisclosure
========
Credits:
========
Vulnerabilities found and advisory written by Steffen Rösemann.
===========
References:
===========
[1] https://github.com/a-v-k/
[2] http://sroesemann.blogspot.de/
[3] https://github.com/a-v-k/
[4] https://github.com/sroesemann/