Computer Security
[EN] securityvulns.ru no-pyccku


Related information

  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)

  Уязвимости в CMS WebDirector

  phpECard (functions.
php) Remote File Inclusion Exploit

  ExBB Italian version <= v2.0 (home_path) Remote File Inclusion Exploit

  MiniBill <= 1.22b config[plugin_dir] Remote File Inclusion Vulnerabilities

From:JUSTINSAMUEL
Date:30.08.2006
Subject:Vulnerability: ModernBill Insecure CURL Settings

Vulnerability: ModernBill Insecure CURL Settings

#################################################################

Vulnerability discovered by: Justin Samuel (www.justinsamuel.com)
Discovery Date: 2006-07-11
Severity: Less Critical
Impact: Exposure of sensitive information

Product: ModernBill
Affected Versions: 5.0.1
Vendor: ModernGigabyte, LLC (www.moderngigabyte.com)
Product Link: http://www.modernbill.com/

#################################################################

Update 2006-08-19:
Not fixed as of 5.0.4, despite vendor knowledge of the issue since 2006-07-12.

#################################################################

Vulnerability Description:

ModernBill’s CURL (a.k.a. cURL, curl) communication with credit card processing gateways is done with CURL ignoring any invalid SSL certificate of the host it is communicating with.

Specifically, the following have been set to FALSE for CURL communication:

CURLOPT_SSL_VERIFYPEER
CURLOPT_SSL_VERIFYHOST

The CURLOPT_SSL_VERIFYPEER setting of FALSE stops CURL from verifying the peer’s certificate.

The CURLOPT_SSL_VERIFYHOST setting of FALSE stops CURL from checking the existence of a common name in the peer’s SSL certificate.

#################################################################

Vulnerability Verification:

To check the CURL settings in use by ModernBill:

1) Install ModernBill.

2) Setup a payment processor.

3) In the file lib-modernbill/include/config/debug.php, change
define(”DEBUG”, 0);
to
define(”DEBUG”, 1);

4) Attempt to process a credit card through the ModernBill’s Virtual Terminal and look for the following in the debug output of the page:

[constantsSetting] => Array
(
[CURLOPT_RETURNTRANSFER] => 1
[CURLOPT_SSL_VERIFYHOST] => 0
[CURLOPT_SSL_VERIFYPEER] => 0
[CURLOPT_TIMEOUT] => 3000
[CURLOPT_CONNECTTIMEOUT] => 50
[CURLOPT_VERBOSE] => 0
[CURLOPT_NOPROGRESS] => 1
[CURLOPT_FAILONERROR] => 0
)

#################################################################

Exploit:

To exploit this vulnerability, an attacker would need to perform a Man-In-The-Middle (MITM) attack so as to receive the communication from ModernBill that was intended for the credit card processing gateway. This would include any variety of DNS attacks that would cause ModernBill to resolve the gateway’s hostname to the IP address of the attacker.

A successful attack would lead to the attacker having access to all credit card information that ModernBill attempts to process through the credit card processing gateway.

#################################################################

Solution:

Discontinue using ModernBill until they stop disabling fundamental security that is part of the SSL protocol.

#################################################################

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod