[webapps / 0day] - BugTracker.Net 3.4.4 Multiple Vulnerabili
Posted on 01 December 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>BugTracker.Net 3.4.4 Multiple Vulnerabilities | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='BugTracker.Net 3.4.4 Multiple Vulnerabilities by Core Security in webapps / 0day | Inj3ct0r 1337 - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_setDomainName", "none"]);_gaq.push(["_setAllowLinker", true]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>============================================= BugTracker.Net 3.4.4 Multiple Vulnerabilities ============================================= 1. *Advisory Information* Title: Multiple vulnerabilities in BugTracker.Net Advisory Id: CORE-2010-1109 Advisory URL: [http://www.coresecurity.com/content/multiple-vulnerabilities-in-bugtracker] Date published: 2010-11-30 Date of last update: 2010-11-30 Vendors contacted: BugTracker.NET team Release mode: Coordinated release 2. *Vulnerability Information* Class: Cross site scripting [CWE-79], SQL injection [CWE-89] Impact: Code execution Remotely Exploitable: Yes Locally Exploitable: No CVE Name: CVE-2010-3266, CVE-2010-3267 Bugtraq ID: N/A 3. *Vulnerability Description* BugTracker.NET [1][2] is an open-source web-based bug tracker written using ASP.NET, C#, and Microsoft SQL Server. Several cross-site scripting and SQL-injection vulnerabilities were found in the following files of the BugTracker.NET: . *bugs.aspx*. SQL injection in line 141. . *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30. . *edit_bug.aspx*. Variables without sanitization in lines 1846 and 1857. . *edit_bug.aspx*. No sanitization for variable 'new_project', line 2214. . *edit_bug.aspx*. XSS in line 2918. . *edit_comment.aspx*. XSS in line 233. . *edit_customfield.aspx*. Lines 165 and 172, no sanitization. . *edit_user_permissions2.aspx*. XSS in line 40. . *massedit.aspx*. SQL Injection in line 162. 4. *Vulnerable packages* . BugTracker.NET v3.4.4. . Older versions are probably affected too, but they were not checked. 5. *Non-vulnerable packages* . BugTracker.NET v3.4.5. 6. *Credits* This vulnerability was discovered and researched by Damián Saura [http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=researcher&name=Damian_Saura] and Alejandro Frydman from Core Security Technologies. 7. *Technical Description / Proof of Concept Code* 7.1. *XSS Vulnerabilities* [CVE-2010-3266 | N/A]. All XSS vulnerabilities can be exploited in similar ways. The following proof of concept shows how to exploit the XSS founded in 'edit_comment.aspx': /----- ... 230 <div class=align> 231 <table border=0><tr><td> 232 233 <a href=edit_bug.aspx?id=<% Response.Write(Request["bug_id"]);%>>back to <% Response.Write(btnet.Util.get_setting("SingularBugLabel","bug")); %></a> 234 <form class=frm runat="server"> 235 236 <table border=0> ... -----/ First, login to BugTracker and create a comment in a previously created bug. Then, edit it using this URL: /----- http://localhost:4535/edit_comment.aspx?id=48&bug_id=3%3E%3Cscript%3Ealert%28%27%27%29;%3C/script%3E -----/ As a result, the JavaScript code injected into the parameter 'bug_id' will be rendered without sanitization in the line 233, and executed in the context of the client's web browser. 7.2. *SQL Injection Vulnerabilities* [CVE-2010-3267 | N/A]. All SQL injection vulnerabilities can also be exploited in similar ways. Consider, for example, the code located in 'delete_query.aspx': /----- ... 26 if (IsPostBack) 27 { 28 // do delete here 29 sql = @"delete queries where qu_id = $1"; 30 sql = sql.Replace("$1", row_id.Value); 31 btnet.DbUtil.execute_nonquery(sql); 32 Server.Transfer ("queries.aspx"); 33 } ... -----/ In line 30, the value of 'row_id' is injected without sanitization into the SQL query. This value arrives to the server in a hidden field of a client request. As a result, a malicious user can manipulate this value in order to execute code in the database layer of the application. 8. *Report Timeline* . 2010-11-29: Core Security Technologies notifies the BugTracker team of the vulnerability, setting the estimated publication date of the advisory to December 20th 2010. . 2010-11-29: The BugTracker team asks Core for a technical description of the vulnerability. . 2010-11-29: Technical details sent to BugTracker team. . 2010-11-29: The BugTracker team acknowledges the report and notifies they will fix all issues in 1 or 2 working days. . 2010-11-30: The BugTracker team notifies that a patched version is publicly available at Sourceforge and Codeplex. . 2010-11-30: The advisory CORE-2010-1109 is published. 9. *References* [1] BugTracker.NET official website: [http://ifdefined.com/bugtrackernet.html]. [2] BugTracker.NET Source Forge project: [http://sourceforge.net/projects/btnet/]. # <a href='http://1337db.com/'>1337db.com</a> [2010-12-01]</pre></body></html>
