AOH :: HP Unsorted M :: BU-1707.HTM

Multiple vulnerabilities found in evalmsi 2.1.03



CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03
CORELAN-10-008 - Multiple vulnerabilities found in evalmsi 2.1.03



--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B9533Bapollocorel_
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

|------------------------------------------------------------------|
|                         __               __                      |
|   _________  ________  / /___ _____     / /____  ____ _____ ___  |
|  / ___/ __ \/ ___/ _ \/ / __ `/ __ \   / __/ _ \/ __ `/ __ `__ \ |
| / /__/ /_/ / /  /  __/ / /_/ / / / /  / /_/  __/ /_/ / / / / / / |
| \___/\____/_/   \___/_/\__,_/_/ /_/   \__/\___/\__,_/_/ /_/ /_/  |
|                                                                  |
| http://www.corelan.be:8800 | 
| security@corelan.be | 
|                                                                  |
|-------------------------------------------------[ EIP Hunters ]--|
|                                                                  |
|                 Vulnerability Disclosure Report                  |
|                                                                  |
|------------------------------------------------------------------|

Advisory        : CORELAN-10-008
Disclosure date : February 4th, 2010


0x00 : Vulnerability information
--------------------------------

[*] Product : evalsmsi
[*] Version : 2.1.03
[*] URL : http://sourceforge.net/projects/evalsmsi/ 
[*] Platform : PHP/MySQL
[*] Type of vulnerability : SQL Injection, Authentication Bypass,
                            Cross-Site Scripting
[*] Risk rating : High
[*] Issue fixed in version : 2.2.00
[*] Vulnerability discovered by : ekse
[*] Corelan Team is : corelanc0d3r, EdiStrosar, rick2600, mr_me, ekse, MarkoT,
                      sinn3r, Jacky & jnz


0x01 : Vendor description of software
-------------------------------------
>From the vendor website:
"evalSMSI is a web application, developed in PHP / MySQL, to evaluate the
Information Security Management System for some entities."


0x02 : Vulnerability details
----------------------------
evalsmsi 2.1.03 contains multiple vulnerabilities.


1 - Insecure storage of password
The passwords are stored in plaintext in the database.
table : authentification
column: password


2 - Authentication Bypass
While a valid username and password is needed to access the application, it is
possible to make requests via ajax.php. It doesn't give access to much
interesting information but the lack of authentication augments the risks
associated with the following vulnerabilities.


3 - SQL Injection
SQL injection is possible via the script ajax.php

The vulnerable code is the following (ajax.php, line 5):

$id = $_GET['query'];
$action = $_GET['action'];

$base = evalsmsiConnect();
switch ($action) {
case 'sub_par':
$request = "SELECT MAX(numero) FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'question':
$request = "SELECT * FROM sub_paragraphe WHERE id_paragraphe="$id"";
break;
case 'num_quest':
$request = "SELECT MAX(numero) FROM question WHERE id_sub_paragraphe="$id"";
break;
default:
break;

As a proof-of-concept, it is possible to obtain the username and password
(in plaintext) of the first user with the following requests :

first user name
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20login,%20NULL,%20NULL,%20NULL%20FROM% 
20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22

first user password
http://server/evalsmsi/ajax.php?action=question&query=1%22%20UNION%20SELECT%20NULL%20,%20password,%20NULL,%20NULL,%20NULL%20FROM% 
20authentification%20UNION%20SELECT%20NULL%20,%20NULL,%20NULL,%20NULL,%20%22


4 - Persistent Cross-Site Scripting

It is possible to inject Javascript in the comment box of reports. Normally
this would be less critical because you need a valid account to access reports.
However, due the preceding vulnerabilities it is possible to obtain valid
credentials.

As a proof of concept, the following string can be inserted in the comment box :





0x03 : Vendor communication
---------------------------
[*] January 14th, 2010 - First contact
[*] January 15th, 2010 - Vendor acknowledges the problems
[*] January 20th, 2010 - Update request
[*] February 1st, 2010 - Vendor update
[*] February 4th, 2010 - Version 2.2.00 released

Please note that the passwords are still stored in plaintext in the database
with this release, yet the fix for the SQL Injection and authentication bypass
are greatly lowering the risks.

We wish to thank Michel Dubois for his cooperation in fixing the bugs we
reported in a timely manner.


This transmission is intended only for use by the intended recipient(s).  If you are not an intended recipient you should not read, disclose, copy, circulate or in any other way use the information contained in this transmission.  The information contained in this transmission may be confidential and/or privileged.  If you have received this transmission in error, please notify the sender immediately and delete this transmission including any attachments.

--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B9533Bapollocorel_
Content-Type: text/plain; name="corelan-10-008 evalmsi.txt"
Content-Description: corelan-10-008 evalmsi.txt
Content-Disposition: attachment; filename="corelan-10-008 evalmsi.txt";
	size=4667; creation-date="Thu, 04 Feb 2010 22:54:56 GMT";
	modification-date="Thu, 04 Feb 2010 22:59:08 GMT"
Content-Transfer-Encoding: base64

fC0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLXwNCnwgICAgICAgICAgICAgICAgICAgICAgICAgX18gICAgICAgICAgICAgICBf
XyAgICAgICAgICAgICAgICAgICAgICB8DQp8ICAgX19fX19fX19fICBfX19fX19fXyAgLyAvX19f
IF9fX19fICAgICAvIC9fX19fICBfX19fIF9fX19fIF9fXyAgfA0KfCAgLyBfX18vIF9fIFwvIF9f
Xy8gXyBcLyAvIF9fIGAvIF9fIFwgICAvIF9fLyBfIFwvIF9fIGAvIF9fIGBfXyBcIHwNCnwgLyAv
X18vIC9fLyAvIC8gIC8gIF9fLyAvIC9fLyAvIC8gLyAvICAvIC9fLyAgX18vIC9fLyAvIC8gLyAv
IC8gLyB8DQp8IFxfX18vXF9fX18vXy8gICBcX19fL18vXF9fLF8vXy8gL18vICAgXF9fL1xfX18v
XF9fLF8vXy8gL18vIC9fLyAgfA0KfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHwNCnwgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICBodHRwOi8vd3d3LmNvcmVsYW4uYmU6ODgwMCB8DQp8ICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHNlY3VyaXR5QGNvcmVsYW4uYmUg
fA0KfCAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgIHwNCnwtLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tWyBFSVAgSHVudGVycyBdLS18DQp8ICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgfA0KfCAgICAgICAgICAgICAg
ICAgVnVsbmVyYWJpbGl0eSBEaXNjbG9zdXJlIFJlcG9ydCAgICAgICAgICAgICAgICAgIHwNCnwg
ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICB8DQp8LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tfA0KDQpBZHZpc29yeSAgICAgICAgOiBDT1JFTEFOLTEwLTAw
OA0KRGlzY2xvc3VyZSBkYXRlIDogRmVicnVhcnkgNHRoLCAyMDEwDQoNCg0KMHgwMCA6IFZ1bG5l
cmFiaWxpdHkgaW5mb3JtYXRpb24NCi0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQoN
ClsqXSBQcm9kdWN0IDogZXZhbHNtc2kNClsqXSBWZXJzaW9uIDogMi4xLjAzDQpbKl0gVVJMIDog
aHR0cDovL3NvdXJjZWZvcmdlLm5ldC9wcm9qZWN0cy9ldmFsc21zaS8NClsqXSBQbGF0Zm9ybSA6
IFBIUC9NeVNRTA0KWypdIFR5cGUgb2YgdnVsbmVyYWJpbGl0eSA6IFNRTCBJbmplY3Rpb24sIEF1
dGhlbnRpY2F0aW9uIEJ5cGFzcywgDQogICAgICAgICAgICAgICAgICAgICAgICAgICAgQ3Jvc3Mt
U2l0ZSBTY3JpcHRpbmcNClsqXSBSaXNrIHJhdGluZyA6IEhpZ2gNClsqXSBJc3N1ZSBmaXhlZCBp
biB2ZXJzaW9uIDogMi4yLjAwDQpbKl0gVnVsbmVyYWJpbGl0eSBkaXNjb3ZlcmVkIGJ5IDogZWtz
ZQ0KWypdIENvcmVsYW4gVGVhbSBpcyA6IGNvcmVsYW5jMGQzciwgRWRpU3Ryb3NhciwgcmljazI2
MDAsIG1yX21lLCBla3NlLCBNYXJrb1QsDQogICAgICAgICAgICAgICAgICAgICAgc2lubjNyLCBK
YWNreSAmIGpueiANCg0KDQoweDAxIDogVmVuZG9yIGRlc2NyaXB0aW9uIG9mIHNvZnR3YXJlDQot
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpGcm9tIHRoZSB2ZW5kb3Igd2Vi
c2l0ZToNCiJldmFsU01TSSBpcyBhIHdlYiBhcHBsaWNhdGlvbiwgZGV2ZWxvcGVkIGluIFBIUCAv
IE15U1FMLCB0byBldmFsdWF0ZSB0aGUgDQpJbmZvcm1hdGlvbiBTZWN1cml0eSBNYW5hZ2VtZW50
IFN5c3RlbSBmb3Igc29tZSBlbnRpdGllcy4iDQoNCg0KMHgwMiA6IFZ1bG5lcmFiaWxpdHkgZGV0
YWlscw0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLQ0KZXZhbHNtc2kgMi4xLjAzIGNvbnRh
aW5zIG11bHRpcGxlIHZ1bG5lcmFiaWxpdGllcy4NCg0KDQoxIC0gSW5zZWN1cmUgc3RvcmFnZSBv
ZiBwYXNzd29yZA0KVGhlIHBhc3N3b3JkcyBhcmUgc3RvcmVkIGluIHBsYWludGV4dCBpbiB0aGUg
ZGF0YWJhc2UuDQp0YWJsZSA6IGF1dGhlbnRpZmljYXRpb24gDQpjb2x1bW46IHBhc3N3b3JkDQoN
Cg0KMiAtIEF1dGhlbnRpY2F0aW9uIEJ5cGFzcyANCldoaWxlIGEgdmFsaWQgdXNlcm5hbWUgYW5k
IHBhc3N3b3JkIGlzIG5lZWRlZCB0byBhY2Nlc3MgdGhlIGFwcGxpY2F0aW9uLCBpdCBpcw0KcG9z
c2libGUgdG8gbWFrZSByZXF1ZXN0cyB2aWEgYWpheC5waHAuIEl0IGRvZXNuJ3QgZ2l2ZSBhY2Nl
c3MgdG8gbXVjaCANCmludGVyZXN0aW5nIGluZm9ybWF0aW9uIGJ1dCB0aGUgbGFjayBvZiBhdXRo
ZW50aWNhdGlvbiBhdWdtZW50cyB0aGUgcmlza3MNCmFzc29jaWF0ZWQgd2l0aCB0aGUgZm9sbG93
aW5nIHZ1bG5lcmFiaWxpdGllcy4NCg0KDQozIC0gU1FMIEluamVjdGlvbiANClNRTCBpbmplY3Rp
b24gaXMgcG9zc2libGUgdmlhIHRoZSBzY3JpcHQgYWpheC5waHANCg0KVGhlIHZ1bG5lcmFibGUg
Y29kZSBpcyB0aGUgZm9sbG93aW5nIChhamF4LnBocCwgbGluZSA1KToNCg0KJGlkID0gJF9HRVRb
J3F1ZXJ5J107DQokYWN0aW9uID0gJF9HRVRbJ2FjdGlvbiddOw0KDQokYmFzZSA9IGV2YWxzbXNp
Q29ubmVjdCgpOw0Kc3dpdGNoICgkYWN0aW9uKSB7DQpjYXNlICdzdWJfcGFyJzoNCiRyZXF1ZXN0
ID0gIlNFTEVDVCBNQVgobnVtZXJvKSBGUk9NIHN1Yl9wYXJhZ3JhcGhlIFdIRVJFIGlkX3BhcmFn
cmFwaGU9IiRpZCIiOw0KYnJlYWs7DQpjYXNlICdxdWVzdGlvbic6DQokcmVxdWVzdCA9ICJTRUxF
Q1QgKiBGUk9NIHN1Yl9wYXJhZ3JhcGhlIFdIRVJFIGlkX3BhcmFncmFwaGU9IiRpZCIiOw0KYnJl
YWs7DQpjYXNlICdudW1fcXVlc3QnOg0KJHJlcXVlc3QgPSAiU0VMRUNUIE1BWChudW1lcm8pIEZS
T00gcXVlc3Rpb24gV0hFUkUgaWRfc3ViX3BhcmFncmFwaGU9IiRpZCIiOw0KYnJlYWs7DQpkZWZh
dWx0Og0KYnJlYWs7DQoNCkFzIGEgcHJvb2Ytb2YtY29uY2VwdCwgaXQgaXMgcG9zc2libGUgdG8g
b2J0YWluIHRoZSB1c2VybmFtZSBhbmQgcGFzc3dvcmQgDQooaW4gcGxhaW50ZXh0KSBvZiB0aGUg
Zmlyc3QgdXNlciB3aXRoIHRoZSBmb2xsb3dpbmcgcmVxdWVzdHMgOg0KDQpmaXJzdCB1c2VyIG5h
bWUNCmh0dHA6Ly9zZXJ2ZXIvZXZhbHNtc2kvYWpheC5waHA/YWN0aW9uPXF1ZXN0aW9uJnF1ZXJ5
PTElMjIlMjBVTklPTiUyMFNFTEVDVCUyME5VTEwlMjAsJTIwbG9naW4sJTIwTlVMTCwlMjBOVUxM
LCUyME5VTEwlMjBGUk9NJTIwYXV0aGVudGlmaWNhdGlvbiUyMFVOSU9OJTIwU0VMRUNUJTIwTlVM
TCUyMCwlMjBOVUxMLCUyME5VTEwsJTIwTlVMTCwlMjAlMjINCg0KZmlyc3QgdXNlciBwYXNzd29y
ZA0KaHR0cDovL3NlcnZlci9ldmFsc21zaS9hamF4LnBocD9hY3Rpb249cXVlc3Rpb24mcXVlcnk9
MSUyMiUyMFVOSU9OJTIwU0VMRUNUJTIwTlVMTCUyMCwlMjBwYXNzd29yZCwlMjBOVUxMLCUyME5V
TEwsJTIwTlVMTCUyMEZST00lMjBhdXRoZW50aWZpY2F0aW9uJTIwVU5JT04lMjBTRUxFQ1QlMjBO
VUxMJTIwLCUyME5VTEwsJTIwTlVMTCwlMjBOVUxMLCUyMCUyMg0KDQoNCjQgLSBQZXJzaXN0ZW50
IENyb3NzLVNpdGUgU2NyaXB0aW5nDQoNCkl0IGlzIHBvc3NpYmxlIHRvIGluamVjdCBKYXZhc2Ny
aXB0IGluIHRoZSBjb21tZW50IGJveCBvZiByZXBvcnRzLiBOb3JtYWxseQ0KdGhpcyB3b3VsZCBi
ZSBsZXNzIGNyaXRpY2FsIGJlY2F1c2UgeW91IG5lZWQgYSB2YWxpZCBhY2NvdW50IHRvIGFjY2Vz
cyByZXBvcnRzLg0KSG93ZXZlciwgZHVlIHRoZSBwcmVjZWRpbmcgdnVsbmVyYWJpbGl0aWVzIGl0
IGlzIHBvc3NpYmxlIHRvIG9idGFpbiB2YWxpZCANCmNyZWRlbnRpYWxzLg0KDQpBcyBhIHByb29m
IG9mIGNvbmNlcHQsIHRoZSBmb2xsb3dpbmcgc3RyaW5nIGNhbiBiZSBpbnNlcnRlZCBpbiB0aGUg
Y29tbWVudCBib3ggOg0KDQo8L3RleHRhcmVhPjxzY3JpcHQ+YWxlcnQoJ1hTUyBmb3VuZCBieSBD
b3JlbGFuIFRlYW0nKTs8L3NjcmlwdD4NCg0KDQoNCjB4MDMgOiBWZW5kb3IgY29tbXVuaWNhdGlv
bg0KLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tDQpbKl0gSmFudWFyeSAxNHRoLCAyMDEwIC0g
Rmlyc3QgY29udGFjdA0KWypdIEphbnVhcnkgMTV0aCwgMjAxMCAtIFZlbmRvciBhY2tub3dsZWRn
ZXMgdGhlIHByb2JsZW1zDQpbKl0gSmFudWFyeSAyMHRoLCAyMDEwIC0gVXBkYXRlIHJlcXVlc3QN
ClsqXSBGZWJydWFyeSAxc3QsIDIwMTAgLSBWZW5kb3IgdXBkYXRlDQpbKl0gRmVicnVhcnkgNHRo
LCAyMDEwIC0gVmVyc2lvbiAyLjIuMDAgcmVsZWFzZWQNCg0KUGxlYXNlIG5vdGUgdGhhdCB0aGUg
cGFzc3dvcmRzIGFyZSBzdGlsbCBzdG9yZWQgaW4gcGxhaW50ZXh0IGluIHRoZSBkYXRhYmFzZQ0K
d2l0aCB0aGlzIHJlbGVhc2UsIHlldCB0aGUgZml4IGZvciB0aGUgU1FMIEluamVjdGlvbiBhbmQg
YXV0aGVudGljYXRpb24gYnlwYXNzDQphcmUgZ3JlYXRseSBsb3dlcmluZyB0aGUgcmlza3MuDQoN
CldlIHdpc2ggdG8gdGhhbmsgTWljaGVsIER1Ym9pcyBmb3IgaGlzIGNvb3BlcmF0aW9uIGluIGZp
eGluZyB0aGUgYnVncyB3ZQ0KcmVwb3J0ZWQgaW4gYSB0aW1lbHkgbWFubmVyLg0KDQo
--_002_C0641B79F7D6A44791BA8FA35BC143F9016897B9533Bapollocorel_--

The entire AOH site is optimized to look best in Firefox® 3 on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH
We do not send spam. If you have received spam bearing an artofhacking.com email address, please forward it with full headers to abuse@artofhacking.com.