Serious holes affecting JFFNMS
--nextPart2096332.VYqZkcthBq
Content-Type: multipart/mixed;
boundary="Boundary-01=_GbFbGQfrksuDnho"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
--Boundary-01=_GbFbGQfrksuDnho
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline
As a result of a short security audit of JFFNMS, a number of security holes=
=20
were found, even from the perspective of a non authenticated user. The hol=
es=20
included authentication bypass via SQL injection. Javascript injection and =
a=20
serious case of information disclosure. After liasing with the developers,=
=20
the holes have been resolved. Attached are the advisory and patch relating=
=20
to these flaws.
Tim
=2D-=20
Tim Brown
<mailto:timb@nth-dimension.org.uk>
<http://www.nth-dimension.org.uk/>
--Boundary-01=_GbFbGQfrksuDnho
Content-Type: text/x-diff;
charset="us-ascii";
name="jffnms-0.8.3-security-v2.patch"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment;
filename="jffnms-0.8.3-security-v2.patch"
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/ad=
min/adm/test.php jffnms-0.8.4-pre2/htdocs/admin/adm/test.php
=2D-- jffnms-0.8.3/htdocs/admin/adm/test.php 2006-09-16 20:31:13.000000000 =
=2D0300
+++ jffnms-0.8.4-pre2/htdocs/admin/adm/test.php 1969-12-31 21:00:00.0000000=
00 -0300
@@ -1 +0,0 @@
=2D<? phpinfo(); ?>
\ No newline at end of file
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/htdocs/au=
th.php jffnms-0.8.4-pre2/htdocs/auth.php
=2D-- jffnms-0.8.3/htdocs/auth.php 2006-09-16 20:31:13.000000000 -0300
+++ jffnms-0.8.4-pre2/htdocs/auth.php 2002-08-13 23:14:54.228705056 -0300
@@ -46,11 +46,6 @@
session_start();
}
=20
=2D if (($jffnms_version=3D=3D"0.0.0") && ($_SERVER["REMOTE_ADDR"]=3D=3D"1=
28.30.52.13")) { //W3C Validator
=2D $_REQUEST["user"]=3D"admin";
=2D $_REQUEST["pass"]=3D"admin";
=2D }
=2D =09
if (!isset($_SESSION["authentification"]))
$authentification =3D $jffnms->authenticate ($_REQUEST["user"],$_REQ=
UEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]);
=20
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' jffnms-0.8.3/lib/api.c=
lasses.inc.php jffnms-0.8.4-pre2/lib/api.classes.inc.php
=2D-- jffnms-0.8.3/lib/api.classes.inc.php 2006-09-16 20:31:14.000000000 -0=
300
+++ jffnms-0.8.4-pre2/lib/api.classes.inc.php 2002-08-13 23:14:55.656488000=
-0300
@@ -677,7 +677,7 @@
$auth_type =3D 1;
$cant_auth =3D 0;
=20
=2D if (isset($user) && isset($pass)) {
+ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
$query_auth =3D "select id as auth_user_id, usern as auth_user_name, pas=
swd, fullname as auth_user_fullname from auth where usern =3D '$user'";
$result_auth =3D db_query ($query_auth);
$cant_auth =3D db_num_rows($result_auth);
@@ -693,18 +693,20 @@
}=20
=20
if (($auth=3D=3D0) && ($cant_auth =3D=3D 0)){ //not found in DB
=2D if (isset($user) && isset($pass)) {
+
+ if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
$query_auth =3D "select id as auth_user_id, username as auth_use=
r_name, name as auth_user_fullname from clients where username=3D '$user' a=
nd password =3D '$pass'";
$result_auth =3D db_query ($query_auth);
$auth =3D db_num_rows( $result_auth);
}
+ =09
if ($auth=3D=3D1) {=20
$reg =3D db_fetch_array($result_auth);
$auth_type =3D 2;
}
}
=20
=2D if (($log_event=3D=3Dtrue) && (!empty($user)))
+ if (($log_event=3D=3Dtrue) && preg_match("/^[\w\@\.]{0,20}$/", $user))
insert_event(date("Y-m-d H:i:s",time()),get_config_option("jffnms_intern=
al_type"),1,"Login",(($auth=3D=3D1)?"successful":"failed"),$user,$log_event=
_info,"",0);
=20
unset ($reg["passwd"]);
--Boundary-01=_GbFbGQfrksuDnho
Content-Type: application/pgp-keys;
name="NDSA20070524.txt.asc"
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
filename="NDSA20070524.txt.asc"
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Nth Dimension Security Advisory (NDSA20070524)
Date: 24th May 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: JFFNMS 0.8.3 <http://www.jffnms.org/>
Vendor: JFFNMS <http://www.jffnms.org/>
Risk: High
Summary
This advisory comes in 2 related parts:
1) JFFNMS application has high risk issues with its authentication
mechanism. These can lead to SQL injection allowing authentication
bypass and Javascript injection. There is also a potential backdoor
although this is unlikely to be exploitable.
2) JFFNMS application has default PHP scripts which can lead to
information disclosure as an unauthenticated user.
Technical Details
1) In cases where the web server hosting the PHP interpreter has been
configured with magic_quotes_gpc disabled it is possible to inject both
SQL and Javascript into the auth.php PHP script. This script makes use
of two parameters user and password which are normally populated during
the authentication process. By making a request for the following URL
for example:
http://192.168.1.1/auth.php?user='%20union%20select%202,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=
It is possible to bypass the authentication mechanism and authenticate
as the admin user.
These parameters are also used in generating an audit trail of
access to the application and in generating the login form, which may allow
modification of existing data held on the web server and Javascript injection
which could allow intruders to execute malicious code on visitors
computers, for example:
http://192.168.1.1/auth.php?user='<html><body><script>alert('xss')</script></body></html>
This Javascript injection point results in the code being executed
on multiple occasions since the tick also causes an SQL error in
the audit trail code which is returned to the visitor prior to the
populated login form.
Potential intruders could use this to execute malicious code on visitors
computers.
Finally, the auth.php PHP script also includes the following code:
if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) {
which could be considered a backdoor althought it does not appear to be
exploitable in a typical installation.
2) The application also included 2 default PHP scripts which can disclose
information to an unauthenticated user depending on the web sever and
application configuration:
http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php
The setup.php PHP script discloses and indeed allows modification of the
application configuration, whilst the test.php PHP script calls the
phpinfo() function and returns its results.
Both appeared to be accessible in the default installation.
Solutions
Following vendor notification on the 24th May 2007, the vendor promptly
responded with an initial patch which fixed the most serious case of
authentication bypass. After additional testing by Nth Dimension, further
changes were recommended and the vendor responded with a second patch which
has been attached along with this advisory. Nth Dimension would recommend
applying this patch as soon as possible. Alternatively, nighly builds from
0.8.4-pre3 (available at http://www.jffnms.org/nightly/) onwards also include
this patch. Nth Dimension would like to thank Javier and Craig from JFFNMS
for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFGavxpVAlO5exu9x8RAvlVAJ4o4dTN0PRCqqCqP8VDiUKGcVJKIACgqg7X
EMEj0ge2pNyPZ1SCUpEHWP4=
=jMbG
-----END PGP SIGNATURE-----
--Boundary-01=_GbFbGQfrksuDnho--
--nextPart2096332.VYqZkcthBq
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQBGbFbMVAlO5exu9x8RAhkFAKDGT6EfTa1MUfH/ZPCdOzU+3VW0MACeLuH1
ZyK8pi48bjkyntKp/qA8zDo=
=Ec+u
-----END PGP SIGNATURE-----
--nextPart2096332.VYqZkcthBq--
討論串 (同標題文章)