BugTraq
Serious holes affecting JFFNMS Jun 10 2007 07:53PM
Tim Brown (timb nth-dimension org uk)
As a result of a short security audit of JFFNMS, a number of security holes
were found, even from the perspective of a non authenticated user. The holes
included authentication bypass via SQL injection. Javascript injection and a
serious case of information disclosure. After liasing with the developers,
the holes have been resolved. Attached are the advisory and patch relating
to these flaws.

Tim
--
Tim Brown
<mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
<http://www.nth-dimension.org.uk/>
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/admin/adm/test.php jffnms-0.8.4-pre2/htdocs/admin/adm/test.php
--- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-16 20:31:13.000000000 -0300
+++ jffnms-0.8.4-pre2/htdocs/admin/adm/test.php 1969-12-31 21:00:00.000000000 -0300
@@ -1 +0,0 @@
-<? phpinfo(); ?>
\ No newline at end of file
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre2/htdocs/auth.php
--- jffnms-0.8.3/htdocs/auth.php 2006-09-16 20:31:13.000000000 -0300
+++ jffnms-0.8.4-pre2/htdocs/auth.php 2002-08-13 23:14:54.228705056 -0300
@@ -46,11 +46,6 @@
session_start();
}

- if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) { //W3C Validator
- $_REQUEST["user"]="admin";
- $_REQUEST["pass"]="admin";
- }
-
if (!isset($_SESSION["authentification"]))
$authentification = $jffnms->authenticate ($_REQUEST["user"],$_REQUEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]);

diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre2/lib/api.classes.inc.php
--- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-16 20:31:14.000000000 -0300
+++ jffnms-0.8.4-pre2/lib/api.classes.inc.php 2002-08-13 23:14:55.656488000 -0300
@@ -677,7 +677,7 @@
$auth_type = 1;
$cant_auth = 0;

- if (isset($user) && isset($pass)) {
+ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
$query_auth = "select id as auth_user_id, usern as auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = '$user'";
$result_auth = db_query ($query_auth);
$cant_auth = db_num_rows($result_auth);
@@ -693,18 +693,20 @@
}

if (($auth==0) && ($cant_auth == 0)){ //not found in DB
- if (isset($user) && isset($pass)) {
+
+ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
$query_auth = "select id as auth_user_id, username as auth_user_name, name as auth_user_fullname from clients where username= '$user' and password = '$pass'";
$result_auth = db_query ($query_auth);
$auth = db_num_rows( $result_auth);
}
+
if ($auth==1) {
$reg = db_fetch_array($result_auth);
$auth_type = 2;
}
}

- if (($log_event==true) && (!empty($user)))
+ if (($log_event==true) && preg_match("/^[\w\@\.]{0,20}$/", $user))
insert_event(date("Y-m-d H:i:s",time()),get_config_option("jffnms_internal_type"),1,"Login",(($au
th==1)?"successful":"failed"),$user,$log_event_info,"",0);

unset ($reg["passwd"]);
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20070524)
Date: 24th May 2007
Author: Tim Brown <mailto:timb (at) nth-dimension.org (dot) uk [email concealed]>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: JFFNMS 0.8.3 <http://www.jffnms.org/>
Vendor: JFFNMS <http://www.jffnms.org/>
Risk: High

Summary

This advisory comes in 2 related parts:

1) JFFNMS application has high risk issues with its authentication
mechanism. These can lead to SQL injection allowing authentication
bypass and Javascript injection. There is also a potential backdoor
although this is unlikely to be exploitable.

2) JFFNMS application has default PHP scripts which can lead to
information disclosure as an unauthenticated user.

Technical Details

1) In cases where the web server hosting the PHP interpreter has been
configured with magic_quotes_gpc disabled it is possible to inject both
SQL and Javascript into the auth.php PHP script. This script makes use
of two parameters user and password which are normally populated during
the authentication process. By making a request for the following URL
for example:

http://192.168.1.1/auth.php?user='%20union%20select%202,'admin','$1$RxS1
ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=

It is possible to bypass the authentication mechanism and authenticate
as the admin user.

These parameters are also used in generating an audit trail of
access to the application and in generating the login form, which may allow
modification of existing data held on the web server and Javascript injection
which could allow intruders to execute malicious code on visitors
computers, for example:

http://192.168.1.1/auth.php?user='<html><body><script>alert('xss')</scri
pt></body></html>

This Javascript injection point results in the code being executed
on multiple occasions since the tick also causes an SQL error in
the audit trail code which is returned to the visitor prior to the
populated login form.

Potential intruders could use this to execute malicious code on visitors
computers.

Finally, the auth.php PHP script also includes the following code:

if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) {

which could be considered a backdoor althought it does not appear to be
exploitable in a typical installation.

2) The application also included 2 default PHP scripts which can disclose
information to an unauthenticated user depending on the web sever and
application configuration:

http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php

The setup.php PHP script discloses and indeed allows modification of the
application configuration, whilst the test.php PHP script calls the
phpinfo() function and returns its results.

Both appeared to be accessible in the default installation.

Solutions

Following vendor notification on the 24th May 2007, the vendor promptly
responded with an initial patch which fixed the most serious case of
authentication bypass. After additional testing by Nth Dimension, further
changes were recommended and the vendor responded with a second patch which
has been attached along with this advisory. Nth Dimension would recommend
applying this patch as soon as possible. Alternatively, nighly builds from
0.8.4-pre3 (available at http://www.jffnms.org/nightly/) onwards also include
this patch. Nth Dimension would like to thank Javier and Craig from JFFNMS
for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGavxpVAlO5exu9x8RAvlVAJ4o4dTN0PRCqqCqP8VDiUKGcVJKIACgqg7X
EMEj0ge2pNyPZ1SCUpEHWP4=
=jMbG
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQBGbFbMVAlO5exu9x8RAhkFAKDGT6EfTa1MUfH/ZPCdOzU+3VW0MACeLuH1
ZyK8pi48bjkyntKp/qA8zDo=
=Ec+u
-----END PGP SIGNATURE-----

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus