BugTraq
[CVE-2013-2627, CVE-2013-2628, CVE-2013-2629] Leed (Light Feed) - Multiple vulnerabilities Dec 18 2013 08:25AM
Alexandre Herzog (alexandre herzog csnc ch)
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Leed (Light Feed)
# Vendor: Valentin CARRUESCO aka Idleman
# CSNC ID: CSNC-2013-005 (SQL Injection), CSNC-2013-006 (CSRF), CSNC-2013-007 (Authentication Bypass)
# CVD ID: CVE-2013-2627 (SQL Injection), CVE-2013-2628 (CSRF), CVE-2013-2629 (Authentication Bypass)
# Subject: Multiple vulnerabilities (see above)
# Risk: High
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog (at) csnc (dot) ch [email concealed]>
# Date: 18.12.2013
#
#############################################################

Introduction:
-------------
Leed is a lightweight RSS/ATOM aggregator based on PHP. It can be hosted
on any server supporting PHP and aims to be an alternative to Google
Reader and its substitutes. [1]

Technical Description
---------------------

1. SQL injection (CSNC-2013-005 / CVE-2013-2627)
The SQL injection is within the ID parameter of
leed/action.php?action=removeFolder&id=-1 as user input does not get
properly escaped. Escaping is otherwise done consistently across the
remaining of the audited code. Exploiting this issue is tricky due to
the HTML encoding, but not impossible, e.g.
If select @@version returns '5.0.84-log' on your database,
CAST(@@version as signed) will return 5
Injection parameter (before encoding) would e.g. be
IF(CAST(@@version as signed) in(5),BENCHMARK(2000000,SHA1(0)),-1)
This blind SQL will last ~5 seconds on my installation as the condition
is true. This way, you could extract information one by one from the
mysql tables.

2. Authorization bypasses in action.php (CSNC-2013-007 / CVE-2013-2629)
The following actions can be called anonymously, as the $myUser variable
isn't verified:
- importForm
- importFeed
- addFavorite
- removeFavorite

3. Missing anti cross-site request forgery token (CSNC-2013-006 / CVE-2013-2628)
None of the actions done within action.php requires a token to defeat CSRF.
This means malicious action can be executed under the identity of a logged
in Leed admin if the victim clicks on a malicious link or visits a website
under the attacker's control.

Workaround / Fix:
-----------------
Upgrade to the latest available version of Leed.

Timeline:
---------
2013-12-18: Public disclosure date
2013-03-19: GIT commit of the fixes
2013-03-19: Initial vendor response
2013-03-19: Discovery by Alexandre Herzog & initial vendor notification

References:
-----------
[1] http://projet.idleman.fr/leed/

--
Alexandre Herzog, IT Security Analyst, Compass Security AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
Tel: +41 55 214 41 66
http://www.csnc.ch/

0?n *?H?÷
 ?_0?[1 0 +0  *?H?÷
 ?+0?û0?ã }i>Y-sR⧭[³è30
 *?H?÷
0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20
120820133715Z
150820133715Z0I10U Email Validated Only1(0&UEmail: alexandre.herzog (at) csnc (dot) ch0 [email concealed]?"0
 *?H?÷
?0?
?º?G?´Æ]ÿº?Ô­{R7?w9ú ®B6¯býÆ6%MæGWbSе¾"ìÇ/SèÕö6
bJa*ù¥'¬ÃVp·#<yù?vþWIît±ÒOÏsÐá
Ѿ«ÂmDï(Ä19?ùýf[
¥,´þªÝÚ8¥( äò?ÔÛ¥ÌÙUõvm«/|ލùÐ?ô]?¼au¿rÅ1???puíÓT|??eÿïgü4ZØÑ?GeD?í?4??]ú?¹YË?
]Ùh 2?£õ!7æÜ?ä Idô¾d=?ÿ¤â²q$R|oÿmÛï]ßEÍI?»ý}?£?Ò0?Î0Uÿ°0U%
 0
+0Uâͪö*WéÚÿÂ$Ò"?'Iu0U#0?ë5±Vm`Xôá"ÍF®Ð
e0ÿU÷0ô0G E C?Ahttp://crl.swisssign.net/EB35B1566D156058F4E122CD
1C461CAED00400650¨ ¥ ¢??ldap://directory.swisssign.net/CN=EB35B1566D
156058F4E122CD1C461CAED0040065%2CO=SwissSign%2CC=CH?certificateRevocatio
nList?base?objectClass=cRLDistributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R4.pdf0Ù+Ì0É0d+0?Xhttp://swisssign.net/cgi
-bin/authority/download/EB35B1566D156058F4E122CD1C461CAED00400650a+
0?Uhttp://silver-personal-g2.ocsp.swisssign.net/EB35B1566D156058F4E12
2CD1C461CAED00400650#U0alexandre.herzog (at) csnc (dot) ch0 [email concealed]
 *?H?÷
?eà?ÞÁU©þO¿ÇJ
à;.¬~"³²`??pÍ?{î?|YûÆ¢ýÓ?o¸òäÖ;`AW©º?C?S6?¡¤xïÞz}ñ¯9èa£luÆ@?^
?¾Þu¢~p¶É
*Þ©ìÙ?ÇÌQ?h·)Z`*?'R{Ý?PT0???í&°·¹?+ô?I¦3ËÇÍ¿jL cO$³\r\} EÀÃ@"ÁãUÎd9ø
²ZÍÜ2µf΍ã§8ÐA§?ÅúTã??ÊU à??æ??­??+P?(¥J@P}«??_*±¢?,8?Ôݐ¹+*y?Z0?g0?O  âV·S?kvX0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
080709111109Z
230709111109Z0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G20?"0
 *?H?÷
?0?
?÷óS^Im?å'!`¥v??¸!@Ï63¬*r?aÃkÞzIX=?Ø;ðA¿kV³=¿cº1~ârFh?
×?O É{©Ð9Ñ?Ö5ghvÁ_? ÍÏ:Ñ?
ÚòCò¤¢¬?u è÷4§¿¶æ9hfRG9)M´è*­a´¢1à?ÛäCñ+ÞÁ4Ël?îb'DØ1ñß<!ÌÀ¬h
ÓthÉJ?; §±e¤®.zÞzDo°þtÿ?õXé¦%ñÌ?"'ØË1Á/( qr÷ûNnz¬!?
Zfø¿åù?Ä?º3
??]®¡£?F0?B0Uÿ0Uÿ0ÿ0Uë5±Vm
`Xôá"ÍF®Ðe0U#0? ÍÁäA¶:[;ËE½Â?ú?X0ÿU÷0ô0G E C?Ahttp
://crl.swisssign.net/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580¨ ¥ ¢?
?ldap://directory.swisssign.net/CN=17A0CDC1E441B63A5B3BCB459DBD1CC298FA8
658%2CO=SwissSign%2CC=CH?certificateRevocationList?base?objectClass=cRLD
istributionPoint0dU ]0[0Y `?tY0L0J+>http://repository.swisssign.com/SwissSign-Silve
r-CP-CPS-R3.pdf0t+h0f0d+0?Xhttp://swisssign.net/cgi-bi
n/authority/download/17A0CDC1E441B63A5B3BCB459DBD1CC298FA86580
 *?H?÷
?.*vÚ?óLßd'á[-?ï¹U.Û¸ e1@°K½|±ÙØqSÎè5,?ºt?ÔW?ÀW??P%{à?Ô]¸Dxé3Aþá¿F?y}r¼8PÀhZ²ÓÞ]gÏi?ø
õ¬ ?ÔÝZ.j9#ïôïsZ6Ãé Gd79y×P²¬º?ê?äEF¾Í/9?
?ðU²&$Q³kÑ|i=XՁ5<hGWÆ³Ï*jE/?©N=Á9ÊëûÞJ?­¸a? ¸?#´vC?®?8^Ò8õ?Ù Õ.øÉ??§ ³Ò(]#lNfñ?c ÜbÄGâr¢àm~=]?E?h?¥ðõíÛ??Îé¦?Úßn5Ú`ö°G?4å¼`´ÀÀ(ôn<¹ú
I?:e8´µa??!ï??Åu(5«^R`/:ï1?¦{÷H p<µ×bË´BÃô¸Dq?$ü×î?!èªc?ÃÏ[òÒ?p'TÌî¡Ñ "?^Ð?C9ªRNgÚ2¼Z??Ú6«Szôwêü×èÞê?ÆnPDàÏ0Ê??¡ §ü¹èÅ-ósõTþ(א##)OI3y
?J^a?f]Ñ?o?.![eDÍvIò¥ƶ~?¢6£)¡x«$]ð
t

y?aHUÞF¹¹Ûª?0?½0?¥ OÔ/T»/K0
 *?H?÷
0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20
061025083246Z
361025083246Z0G1 0 UCH10U
 SwissSign AG1!0USwissSign Silver CA - G20?"0
 *?H?÷
?0?
?Äñ?Óx1÷8ÉøÃ?C¼Ç÷¼7çNqºK¥s\n?®W®87C/=ÈÎhÁx®+ú,y?öè¹h¹UòD§9
ùü?ñ¢M'ùa{º·å¢¶ëa>ÐlÑæûú^í´? 5[¡?ËðI?þ?
>æÙ âO»Ü?7ü?é25"Ñ:N'?°?2Úa
GM`B®?Gè?ZPXé??¹]¡ÜÝ?J6g»Hä?¶7ëH:¯gèÊïj1?ÔÀ¶ù?q{gd¸¶?JB{e.0j õî?æòÍ?ìÙ¡Jìö²KåE?æmx?.??m6©Ä1d?? *ô5
xÉUÏA°Gé0??¾a¨?¹(z_8Ù©8°?sÁÃ;H*?!?¸Ì¨5Ã??³>¾¤?i:?xÙÉô?«V~[??9?¤
, 2?`³?À*¶ ~IòJùÕF/?£?§&¬»?<æ¼GÜsQñpd/ù´G0lDê)7??hf¼?8þ{9.ÓPðû^
`¶©¦ú'Añ?ròõ?tJÉgÄT®Hdß?Ñn°á??qéLØ¥÷GtÑQ??ó¢#@ sÛK¦çs?Á éÁY¬Fú
æ/øÏq?Fm¹Ä8yEHïÄ]×î?9"?²
XC÷q©H.ýêÖ£¬0©0Uÿ0Uÿ0ÿ0U ÍÁäA
¶:[;ËE½Â?ú?X0U#0? ÍÁäA¶:[;ËE½Â?ú?X0FU ?0=0; `?tY0.0,+ http://repository.swisssign.com/0
 *?H?÷
?sƁà'Ò-à?0â?AP,__ba©?ji tIÖ]?êARoX­PV jƽ(iX?Ü?5©:¼¥`?ØE?iÙ~»xrÁ*Ώ?pa¬ Í ¸9)V?2N?»=Ä*Ù×rîþQ¡"A±qc?°
b«^WßËÝu À]y?àPæÞ1þ?{p_¥Ø­ø¶oÓ`Ý@K"Å=­:z?G?y3º?Ü2i?nKðqþãgr ±¿
\?äú?"Ç?¹#??í%àÏe»õaïݲZA"Z¡?],è[Ém© xª`ÆVZ h¼iyÄ~?¿Åé$Q^ÔÕKSíÙ#Z6e£Á­A0óF?¯eµÕ±ä[xu?zmY©*{ÞÃ???IsxÈ=½Q5t
*Õñ~i*»;½%¸?Z=raf?î ÖMÔt jþ ü£UW?þJË®[Èò#1S8Ò-j??¹j÷^AtnÃ~¬)`??8ÊW
½0/Ç¥æA Ú®?? ¤elL ?º¸Ó¹À??0úå?kNgªÚbV>?fÒÄ6}§>ü?àÔ?彪óN£zjùbrã Oë?#ñ?»|ÜÜl?%²ò´cÒ*g??õÎêØ?jìä
»*Lë `9ÎÊbØ.n1? 0?0h0U1 0 UCH10U
 SwissSign AG1/0-U&SwissSign Personal Silver CA 2008 - G2}i>Y-sR⧭[³è30 + z0# *?H?÷
 1¨ëßd±-)A¸m8??p';ÈQ?0 *?H?÷
 1  *?H?÷
0 *?H?÷
 1
131218082529Z0 *?H?÷
 10 0
*?H?÷
0
 *?H?÷
?-?¸ÏÅÖ?*cÀØ?Ó+£?B¿\¢?`CÌà.?Áö¿E+HhýÿG?öì˯ÒûèÒ2oaað?º®ö
_håtøÐøc»OÂØãÀÎ3\S8ÔíFG¼f?82ævJ Yæ?£ ªe6??92?>zIØÃc³¤ßf³¨ j*[ +5ÃqóOÏ?ÚßßÌ +óp
!µø?¢}z7?%±xñ%?SlC2@M=>4U×!äF?|Á
Ó?ñù0>{?lcASqê
ªò£å6y$ÇÇc1±()&??£??¤J?uÌ'ÛÛÉLê â.Ȩ©æ?Ìyª?dú?iÍðq

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus