[BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1

English | Vietnamese

Rules

Main Forum

Portal

Member Listing

Statistics

Search

Reading Room
[Register]

Login [ | https ]

Forum Index

Thông tin new bugs và exploits

[BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1

[Announcement] [BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1	25/02/2009 23:40:51 (+0700) \| #1 \| 170897

bmrobot
Member

Joined: 21/08/2008 17:43:51
Messages: 11
Offline

BLUE MOON SECURITY ADVISORY 2009-03
===================================

:Title: Multiple vulnerabilities in OpenSite v2.1
:Severity: Critical
:Reporter: Blue Moon Consulting
smilie

roducts: OpenSite v2.1
:Fixed in: to be fixed in 3.0

Description
-----------

OpenSite is an Open Source Content Management System powered by PHP5 and MySQL 4 and is extremely simple and lightweight.

We have discovered six vulnerabilities in OpenSite from authentication bruteforce to SQL injection. Except the first vulnerability rated at critical severity, the rest is of low severity.

1. Weakened authentication.

The function ``init`` in ``origin/libs/user.php`` checks for a matching ``origin_hash`` cookie. However, this cookie can be bruteforced in at most 2^32 tries for a known username. In reality, the number of attempts could be greatly reduced knowing that we do not have to check for time in the future, and long past.

2. Special characters such as quotes, double quotes, backslashes in password prevent users from logging in.

In ``modules/userregister/index.php``, the argument passed to ``$user->register`` contains and escaped ``$_POST['password']``. In ``origin/libs/user.php``, this password is hashed with ``sha1``. However, the function ``login`` does not escape the POST data before hashing it, causing inconsistency.

3. Double escapes in user registraion.

In ``origin/libs/user.php``, the register function escapes all key=>value pairs before inserting them into the database. However, ``username``, ``password``, and ``email`` have been escaped before being passed to this function. Therefore they are escaped twice.

4. SQL injection in admincp/includes/functions.php.

SQL injection in function ``haspermission``. The parameters ``$module`` and ``$section`` are not escaped. This function is called in ``admincp/usergroups.php``.

5. SQL injection in ``admincp/settings.php``.

SQL injection in processing ``$_POST['do'] == "save"``. The POST data ``settings`` are not properly escaped before saving.

6. SQL injection in ``admincp/usergroups.php``.

SQL injection in all permissions select command ``SELECT id,module,section,groups FROM permissions WHERE module='".$module."' AND section='".$section."' LIMIT 1"``. The POST data ``permissions`` are not properly escaped before use.

Workaround
----------

There is no workaround.

Fix
---

These bugs are planned to be fixed in OpenSite v3.0.

Disclosure
----------

Blue Moon Consulting adapts `RFPolicy v2.0 <http://www.wiretrip.net/rfp/policy.html>`_ in notifying vendors.

:Initial vendor contact:

February 24, 2009: Initial contact sent to Jack Polgar.

:Vendor response:

February 24, 2009: Jack replied asking for technical details.

:Further communication:

February 24, 2009: Technical details were sent to Jack, and confirmation was requested.

February 24, 2009: Jack confirmed all problems and stated "most or all of them will be fixed in the next release".

February 24, 2009: Prepared advisory is sent to Jack to co-ordinate the public release.

smilie

ublic disclosure: February 25, 2009

:Exploit code: No exploit code is provided.

Disclaimer
----------

The information provided in this advisory is provided "as is" without warranty of any kind. Blue Moon Consulting Co., Ltd disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. Your use of the information on the advisory or materials linked from the advisory is at your own risk. Blue Moon Consulting Co., Ltd reserves the right to change or update this notice at any time.

[Question] Re: [BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1	26/02/2009 00:39:47 (+0700) \| #2 \| 170929

vnexpl0it
Member

Joined: 16/02/2009 17:51:52
Messages: 5
Offline

Hay quá. Phần mềm này có được sử dụng nhiều không nhỉ, đang test thử lỗi đầu.

Mà bmrobot cho một vài site để thử đi smilie

[Question] Re: [BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1	07/03/2009 04:46:54 (+0700) \| #3 \| 172163

dangminh4
Member

Joined: 04/02/2007 21:44:21
Messages: 107
Offline

Xin lỗi trình kém không hiểu hết được , nhưng xin bác giải thích kỹ hơn một chút đước không ah.
ví dụ như : 1. Weakened authentication.

The function ``init`` in ``origin/libs/user.php`` checks for a matching ``origin_hash`` cookie. However, this cookie can be bruteforced in at most 2^32 tries for a known username. In reality, the number of attempts could be greatly reduced knowing that we do not have to check for time in the future, and long past.

vậy thì nó không brute force thì nó sẽ làm gì tiếp theo ngắt kết nối của mình luôn ah` , hay cho qua luon không cần hỏi han gì

và bác có thể cho em một site để test hoặc google dork , OKIE

[Question] Re: [BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1	07/03/2009 06:05:31 (+0700) \| #4 \| 172182

gamma95
Researcher

Joined: 20/05/2003 07:15:41
Messages: 1377
Location: aaa">
Offline

các bác đang hỏi một con rôbốt thì sao nó trả lới đc smilie

Cánh chym không mỏi
lol

[Question] Re: [BMSA-2009-03] Multiple vulnerabilities in OpenSite v2.1	07/03/2009 06:22:54 (+0700) \| #5 \| 172188

dangminh4
Member

Joined: 04/02/2007 21:44:21
Messages: 107
Offline

Vậy ra đây là robo leech ah smilie

bác gamma95 chắc mới tìm bắc mới ỉm ăn mảnh nên sướng cười bò lăn bò toài ra kìa smilie

Go to:

Users currently in here
1 Anonymous