Hardened PHP Project www.hardened-php.net -= Security Advisory =- Advisory: Multiple vulnerabilities in Contrexx Release Date: 2005/07/21 Last Modified: 2005/07/18 Author: Christopher Kunz Application: Contrexx < 1.0.5 Severity: Cross-Site Scripting, SQL injection and information disclosure, password hash disclosure Risk: High Vendor Status: Vendor has released an updated version References: http://www.hardened-php.net/advisory_112005.59.html (also includes a GnuPG signature for this advisory) Overview: Contrexx is a commercial content management system that has been released as an open source product lately. It features typical CMS features like content pages, polls, news, RSS feed aggregation and newsletters, split up in modu- les. The search and the blog aggregation module are vulnerable to Cross-Site Scripting, allowing malicious users to hijack user or admin sessions. Unfil- tered user input in the poll module allows for MySQL version disclosure, and might faciliate further SQL injection attacks under MySQL 5 with subselects. SQL Injection in the gallery module can be used to select arbitrary data, including a complete list of username/password hash combinations. A bundled XML file discloses the Contrexx version in use. Details: 1) SQL injection in poll module The poll module in Contrexx is made up like any other web-based poll: users can vote for one of several choices by clicking a radio button and submitt- ing the poll form. The value of the radio button is an integer value that is passed to the SQL abstraction layer without any checks or casts: $query="SELECT voting_system_id from ".DBPREFIX."voting_results WHERE id=".$_POST["votingoption"]." "; $db->query($query); By saving, changing and submitting a modified poll form to the server, an attacker can get the MySQL server to disclose its version. On top of that, the results of aforementioned query are fed directly into an UPDATE statement that thus can be modified by changing the WHERE clause. This can be used to spike polls and may be used for other injection with MySQL5's subselects. With magic_quotes_gpc=Off, more evil can be done. This is faciliated by the ridiculous input filtering that basically checks for SELECT, UPDATE, AND and OR, but leaves /**/SELECT, UPDATE/**/, &&, || untouched. 2) SQL injection in gallery module The pId parameter in Contrexx's gallery module is passed to the database layer completely unfiltered: if(isset($_GET['pId']) && !empty($_GET['pId'])){ $this->showPicture($_GET['pId']); } and in method showPicture(): $objDb->query("SELECT id,name,path,linkname,link,size_show FROM ".DBPREFIX."module_gallery_pictures WHERE id=".$pictureId); An attacker can append arbitrary SQL to the pId parameter, including UNION SELECT. However, since there is some - err - "filtering" going on, keywords like SELECT, UNION, AND or similar need to be pre- or postfixed with an empty SQL comment. Using this injection, it is very easy to obtain a full list of usernames and password hashes which can then be cracked with a premade MD5 rainbow table. 3) XSS in the search form Plain and simple XSS, exploitable via GET and POST on the front-end search form. See below for PoC, it's very straightforward. The input sanitation functions seem to differ between Contrexx versions - it was possible to inject script code without any additional characters on the Contrexx web site (http://www.contrexx.com/). Contrexx' input filters filter out ". Have this blog aggregated by Contrexx. Stir. Enjoy. 5) See /config/version.xml in your Contrexx installation. Disclosure Timeline: 08. July 2005 - Vendor informed. 10. July 2005 - One more bug disclosed to vendor, including PoC. 19. July 2005 - Vendor has released updated version. 22. July 2005 - Public disclosure. Recommendation: We strongly recommend installing the updated version, 1.0.5, which is avail- able from the vendor's homepage, www.contrexx.com. Plug: You can discuss this and other vulnerabilities in our forum at http://forum.hardened-php.net/ - an up-to-date list of advisories can be found at http://www.hardened-php.net/. GPG-Key: http://www.hardened-php.net/hardened-php-signature-key.asc pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1 Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/