[CVE-2013-2627, CVE-2013-2628, CVE-2013-2629] Leed (Light Feed)
--PGP_Universal_3CD34FC1_5C055F27_45C7579B_8F4CDC6D
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: Leed (Light Feed)
# Vendor: Valentin CARRUESCO aka Idleman
# CSNC ID: CSNC-2013-005 (SQL Injection), CSNC-2013-006 (CSRF), CSNC-2013-=
007 (Authentication Bypass)
# CVD ID: CVE-2013-2627 (SQL Injection), CVE-2013-2628 (CSRF), CVE-2013-2=
629 (Authentication Bypass)
# Subject: Multiple vulnerabilities (see above)
# Risk: High
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog@csnc.ch>
# Date: 18.12.2013
#
#############################################################
Introduction:
-------------
Leed is a lightweight RSS/ATOM aggregator based on PHP. It can be hosted=20
on any server supporting PHP and aims to be an alternative to Google=20
Reader and its substitutes. [1]=20
=20
Technical Description
---------------------
1. SQL injection (CSNC-2013-005 / CVE-2013-2627)
The SQL injection is within the ID parameter of=20
leed/action.php?action=3DremoveFolder&id=3D-1 as user input does not get=20
properly escaped. Escaping is otherwise done consistently across the=20
remaining of the audited code. Exploiting this issue is tricky due to=20
the HTML encoding, but not impossible, e.g.=20
If select @@version returns '5.0.84-log' on your database,
CAST(@@version as signed) will return 5
Injection parameter (before encoding) would e.g. be
IF(CAST(@@version as signed) in(5),BENCHMARK(2000000,SHA1(0)),-1)
This blind SQL will last ~5 seconds on my installation as the condition
is true. This way, you could extract information one by one from the
mysql tables.
2. Authorization bypasses in action.php (CSNC-2013-007 / CVE-2013-2629)
The following actions can be called anonymously, as the $myUser variable
isn't verified:
- importForm
- importFeed
- addFavorite
- removeFavorite
3. Missing anti cross-site request forgery token (CSNC-2013-006 / CVE-2013-=
2628)
None of the actions done within action.php requires a token to defeat CSRF.
This means malicious action can be executed under the identity of a logged
in Leed admin if the victim clicks on a malicious link or visits a website
under the attacker's control.
Workaround / Fix:
-----------------
Upgrade to the latest available version of Leed.
Timeline:
---------
2013-12-18: Public disclosure date
2013-03-19: GIT commit of the fixes
2013-03-19: Initial vendor response
2013-03-19: Discovery by Alexandre Herzog & initial vendor notification
References:
-----------
[1] http://projet.idleman.fr/leed/
--
Alexandre Herzog, IT Security Analyst, Compass Security AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
Tel: +41 55 214 41 66
http://www.csnc.ch/
--PGP_Universal_3CD34FC1_5C055F27_45C7579B_8F4CDC6D
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: BASE64
Content-Disposition: attachment;
filename="smime.p7s"
MIIUbgYJKoZIhvcNAQcCoIIUXzCCFFsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCEisw
ggX7MIIE46ADAgECAg8UfWk+WS1zUuKnrVuz6DMwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMC
Q0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEvMC0GA1UEAxMmU3dpc3NTaWduIFBlcnNvbmFsIFNp
bHZlciBDQSAyMDA4IC0gRzIwHhcNMTIwODIwMTMzNzE1WhcNMTUwODIwMTMzNzE1WjBJMR0wGwYD
VQQLExRFbWFpbCBWYWxpZGF0ZWQgT25seTEoMCYGA1UEAxQfRW1haWw6IGFsZXhhbmRyZS5oZXJ6
b2dAY3NuYy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqVR5S0xl0UAv+6gtSt
e1I3nnc5+hUMrkI2r2L9xjYlTeZHBFdiUwbQtb6dFBEiBezHL1Po1fYANgpiSmEqBAX5pSesw1Zw
tyM8BXn5iHb+V0nuExh0sdJPzwNzDtDhGA3RvqvCbUQO7yjEMTmbj/n9ZpBbDaUstP6qG93aOKUo
IAnkG/KL1NulzNlVB/V2basvfN6N+RDQn/Rdm7xhdb9yxTGEk5dwde3TVHybHT9l/+9n/DRa2NGb
R2VEn+2JNJSaXfqWuVnLmpBd2WgJMoWj9SESNw/m3JHkIEmQZPS+ZD2U/6QZ4rJxJFIRfG//bdvv
Xd9FzQhJE5y7/X0OBYkCAwEAAaOCAtIwggLOMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggr
BgEFBQcDBDAdBgNVHQ4EFgQU4s2q9ipX6Z3a/8IknZDSIoAnSXUwHwYDVR0jBBgwFoAU6zWxVm0V
YFj04SLNHEYcrtAEAGUwgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24u
bmV0L0VCMzVCMTU2NkQxNTYwNThGNEUxMjJDRDFDNDYxQ0FFRDAwNDAwNjUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RUIzNUIxNTY2RDE1NjA1OEY0RTEyMkNE
MUM0NjFDQUVEMDA0MDA2NSUyQ089U3dpc3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwZAYDVR0gBF0wWzBZ
BglghXQBWQEDAQQwTDBKBggrBgEFBQcCARY+aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv
bS9Td2lzc1NpZ24tU2lsdmVyLUNQLUNQUy1SNC5wZGYwgdkGCCsGAQUFBwEBBIHMMIHJMGQGCCsG
AQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC9F
QjM1QjE1NjZEMTU2MDU4RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MGEGCCsGAQUFBzABhlVodHRw
Oi8vc2lsdmVyLXBlcnNvbmFsLWcyLm9jc3Auc3dpc3NzaWduLm5ldC9FQjM1QjE1NjZEMTU2MDU4
RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MCMGA1UdEQQcMBqBGGFsZXhhbmRyZS5oZXJ6b2dAY3Nu
Yy5jaDANBgkqhkiG9w0BAQUFAAOCAQEAZeCO3sFVqf5Pv8dKExUN4DsukKwEfhYis7JgmIVwzYh7
7od8WfsexqL904pvuPKN5NYbW2M7gWBBV6m6mhFDhFM2mKGkeO/een3xrznoYaNsdcZAmIFeiL7e
daJ+cLbJDSreER6pHuzZmcfMUZxotylaYCqKJ1J73RWaUFQwBZg/lO0mErC3uZQr9IdJppAzy8d/
zb9qTBCNDGNPjY0ks1xyXIF9DEXAw0AiweNVAs5kOcMVB7gNFLJazRXcMrVmzo3jpzgB0EGnmsUE
+lTjn4XKVQzgiYPmhYwZrYCDECtQiSilSkBQfauYgF8dKrGiih0sOJLU3ZC5HysqeZKdWjCCBmcw
ggRPoAMCAQICCQDiVrdTl2t2WDANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UE
ChMMU3dpc3NTaWduIEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDgw
NzA5MTExMTA5WhcNMjMwNzA5MTExMTA5WjBVMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NT
aWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwgU2lsdmVyIENBIDIwMDggLSBHMjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPfzU15JbYwD5ScXIRhgpXaUPxUQuCFAzzYz
rCpymo9hw2veekkIWD2A2DvwnR1BEAG/awdWGo2zPb9jujF+4nJGGGiH14VPoMl7E6nQOdGJ1jVn
aHbBX5YJzc86BdE/BgUK2hbyQ/KkBx2irIB1AZ2g6Pc0p7+25jloZlJHOSlNtJ3oKq0VYbSiMeAQ
kdse5EPxK94QwTTLbITuYhQnRNgx8d88IczArJBo03RoyRdKjjsJp7EFZY0HpJCuLnreekRvsAL+
dP8ah/VY6aYl8cyIIifYyzHBLygMcXIe9/sITm56Bawhfz8KWmb4v+UWFPkbm8SfujMNhpcVXa6h
Bo8CAwEAAaOCAkYwggJCMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBTrNbFWbRVgWPThIs0cRhyu0AQAZTAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqG
WDCB/wYDVR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvMTdBMENEQzFF
NDQxQjYzQTVCM0JDQjQ1OURCRDFDQzI5OEZBODY1ODCBqKCBpaCBooaBn2xkYXA6Ly9kaXJlY3Rv
cnkuc3dpc3NzaWduLm5ldC9DTj0xN0EwQ0RDMUU0NDFCNjNBNUIzQkNCNDU5REJEMUNDMjk4RkE4
NjU4JTJDTz1Td2lzc1NpZ24lMkNDPUNIP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDBkBgNVHSAEXTBbMFkGCWCFdAFZAQMBAzBM
MEoGCCsGAQUFBwIBFj5odHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1T
aWx2ZXItQ1AtQ1BTLVIzLnBkZjB0BggrBgEFBQcBAQRoMGYwZAYIKwYBBQUHMAKGWGh0dHA6Ly9z
d2lzc3NpZ24ubmV0L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkLzE3QTBDREMxRTQ0MUI2M0E1
QjNCQ0I0NTlEQkQxQ0MyOThGQTg2NTgwDQYJKoZIhvcNAQEFBQADggIBAC4qdtqX80zfZCfhWy2V
77lVLtu4CWUxQLBLvXyQsdnYcRhTzug1LJsUuh90gtRXksBXk5tQBSV74JXUXbhEeOkzkEH+4b9G
m3l9crw4UBnAaFoGstMb3l1nz2mS+PWsCYXU3Vouajkj7/Tvc1o2HsPpjSBHZDcfOXkT1w5Qsqy6
GZ7qg+RFRgS+zS85EAibDYnwVbImJFGza9F8aT1Y1YE1PGhHV43GErPPKmoVRS+EqU49wTnK6/ve
SpytG7hhlgYguIAjGbR2Qxyfrpo4XhDSOPUentkMEdUu+MmKh6cMs9IoXSNsTmYF8ZhjoNxigcRH
4nKi4G0Zfj1dhUWXaIADpfD17duYgs7pppba32412hkDYPawR5gDNOW8YLTAkMAo9ARuPLn6SYc6
ZTi0tWGCHoYh75qIxXUoNateUmAvOu8xi6Z790gMcDy112LLtELD9I24RHGMJPzX7p8h6KpjlsPP
B1vygdKacCdUGMzuodEMIo5e0JlDOapSTmcbj9oyvFqDkto2q1N69BF36vzX6N7ql8ZuUA4PRODP
MMqLmqGgp/y56MUt83P1VP6dKNeQIyMpT0kzf5B5g0peHmGRZgQYXdGIb4wuIVtlAUTNdkkAABDy
GhKlHca2BX6IFqI2AqMpoXirJF3wCnQNZNoKeZoVYUhV3kYEubkE26qWMIIFvTCCA6WgAwIBAgII
TxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2ln
biBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloX
DTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8G
A1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0MvFz0fyM5oEMF4rhkD
KxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm+/pe7R20nqA1W6GSy/BJ
kv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlK
HzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK
7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/
c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJMoBgs5PAKrYY
C51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBsROopN4WSaGa8gzj+ezku
01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmccelM2KX3RxIfdNFRnobz
wqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calI
Lv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0cwpj6hlgw
RgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnku
c3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P4JUw4ppBf1AsX19iYamG
amkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4Vw
YaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+
mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZIseE
uRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8aRl5xB9+lwW/xekk
UV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqPe97Dh4kQmUlzeMg9vVE1
dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+C
uY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5Zpr
FQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy
tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5uMYICCzCCAgcCAQEwaDBVMQswCQYDVQQG
EwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwg
U2lsdmVyIENBIDIwMDggLSBHMgIPFH1pPlktc1Lip61bs+gzMAkGBSsOAwIaBQCgejAjBgkqhkiG
9w0BCQQxFgQUqOvfZLEtKUG4bTiJjHAnO8hRhh8wGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTMxMjE4MDgyNTI5WjAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMH
MA0GCSqGSIb3DQEBAQUABIIBABwaFi2cBbjPxdaDKmPA2I7TK6OMQr9cooaBYEPM4C4/wRP2vwid
RStIaIH9/0ea9uwPy6/S++jSMm9hYfCKuq72X2jldPjQ+GO7T8LY48DOM1xTHjid1O1GR7xmkzgy
5nZKCVnmmKOgHKplNp+KOTKEPh16SRHYw2OzpN9ms6gXoGoqWwsrNcNx80/PhtrfFd/MICsO83AW
CiG1+ByAon16N4AlsXjxJZ5TbEMyQE09PjRV1yEA5EaCfMEN05Xx+TA+e4psY0FTceoKqvKj5TZ5
JMfHYzGxKCkmjhyMo4WTpEqEdcwn29vJTOoL4i7IqBup5ovMeaqbZPobhWnN8HE=
--PGP_Universal_3CD34FC1_5C055F27_45C7579B_8F4CDC6D--