[UNIX] Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting

The following security advisory is sent to the securiteam mailing list, and can 
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Contrexx SQL Injection, Information Disclosure and Cross-Site Scripting
------------------------------------------------------------------------


SUMMARY

 <http://www.contrexx.com/> Contrexx is "a commercial content management 
system that has been released as an open source product lately. It 
features typical CMS features like content pages, polls, news, RSS feed 
aggregation and newsletters, split up in modules".

Multiple vulnerabilities discovered in Contrexx CMS, exploiting these 
allows malicious attacker to endanger the system's integrity, to retrieve 
sensitive credential information and to commit cross site scripting 
attacks.

DETAILS

Vulnerable Systems:
 * Contrexx version prior to 1.0.5

Immune Systems:
 * Contrexx version 1.0.5

The search and the blog aggregation module are vulnerable to Cross-Site 
Scripting, allowing malicious users to hijack user or admin sessions. 
Unfiltered user input in the poll module allows for MySQL version 
disclosure, and might facilitate further SQL injection attacks under MySQL 
5 with subselects. SQL Injection in the gallery module can be used to 
select arbitrary data, including a complete list of username/password hash 
combinations. A bundled XML file discloses the Contrexx version in use.

SQL injection in poll module:
The poll module in Contrexx is made up like any other web-based poll: 
users can vote for one of several choices by clicking a radio button and 
submitting the poll form. The value of the radio button is an integer 
value that is passed to the SQL abstraction layer without any checks or 
casts:
$query="SELECT voting_system_id from ".DBPREFIX."voting_results WHERE 
id=".$_POST["votingoption"]." ";
$db->query($query);

By saving, changing and submitting a modified poll form to the server, an 
attacker can get the MySQL server to disclose its version. On top of that, 
the results of aforementioned query are fed directly into an UPDATE 
statement that thus can be modified by changing the WHERE clause This can 
be used to spike polls and may be used for other injection with MySQL5's 
subselects. With magic_quotes_gpc=Off, more evil can be done.
This is facilitated by the ridiculous input filtering that basically 
checks for SELECT, UPDATE, AND and OR, but leaves /**/SELECT, UPDATE/**/, 
&&, || untouched.

SQL injection in gallery module:
The pId parameter in Contrexx's gallery module is passed to the database 
layer completely unfiltered:
if(isset($_GET['pId']) && !empty($_GET['pId'])){
  $this->showPicture($_GET['pId']);
}
and in method showPicture():
$objDb->query("SELECT id,name,path,linkname,link,size_show
                 FROM ".DBPREFIX."module_gallery_pictures
                 WHERE id=".$pictureId);

An attacker can append arbitrary SQL to the pId parameter, including UNION 
SELECT. However, since there is some - err - "filtering" going on, 
keywords like SELECT, UNION, AND or similar need to be pre- or postfixed 
with an empty SQL comment. Using this injection, it is very easy to obtain 
a full list of usernames and password hashes which can then be cracked 
with a premade MD5 rainbow table.

Cross Site Scripting in the search form:
Plain and simple XSS, exploitable via GET and POST on the front-end search 
form. See below for PoC, it's very straightforward. The input sanitation 
functions seem to differ between Contrexx versions - it was possible to 
inject script code without any additional characters on the Contrexx web 
site (http://www.contrexx.com/).
Contrexx' input filters filter out "<script>", but, for some unknown 
reason, do not touch "<scr\ipt>".

Cross Site Scripting in blog aggregation module:
Blog aggregation is used to create a "blog roll" for daily perusal by 
administrators or normal web site users. A malicious person could use 
their leet social engineering skills to persuade a Contrexx administrator 
that their blog is worth a daily read - prompting said admin to include 
this blog in their Contrexx blog aggregation. Then, the attacker could 
embed script code in one of their blog entries. Since no input filtering 
is done on incoming RSS aggregations, this script code is displayed in the 
front-end aggregation module and also in the admin backend (if the 
administrator clicks on "preview"). With the resulting XSS an attacker 
could steal the admin's cookies and hijack their session.

Version disclosure:
In a default installation of Contrexx, a file named "config/version.xml" 
is created upon installation. It contains the exact version information 
for the Contrexx installation.

Proof of Concept:
1) Modify one of the poll "votingoption" parameters to read like this: 
value="1 /*!50030%20s*/" and submit the form. Repeat until no SQL error is 
displayed - you have found the MySQL version running on the server. More 
SQL injection: value="123 UNION/**/ SELECT/**/ '1 OR 1=1'"
2) /index.php?section=gallery&cmd=showCat 
&cid=41&pId=1%20/**/UNION/**/%20/**/
SELECT/**/%201,1,CONCAT(username,'-',password),1,1,1%20/**/FROM%20 
contrexx_access_users
3) /index.php?section=search 
&term=%22%3E%3Cscr\ipt%3Ealert(%22xss%22)%3C/sc\ript%3E
4) Create a blog entry with the title <script>alert('xss')</script>. Have 
this blog aggregated by Contrexx. Stir. Enjoy.
5) See /config/version.xml in your Contrexx installation.

Disclosure Timeline:
 * 08.07.05 - Vendor informed
 * 10.07.05 - One more bug disclosed to vendor, including PoC
 * 19.07.05 - Vendor has released updated version
 * 22.07.05 - Public disclosure

Vendor Status:
Vendor has released updated version - 1.0.5, which is available from the 
vendor's homepage,  <www.contrexx.com> www.contrexx.com.


ADDITIONAL INFORMATION

The information has been provided by  
<mailto:christopher.kunz@xxxxxxxxxxxxxxxx> Christopher Kunz.
The original article can be found at:  
<http://www.hardened-php.net/advisory_112005.59.html> 
http://www.hardened-php.net/advisory_112005.59.html



======================================== 


This bulletin is sent to members of the SecuriTeam mailing list. 
To unsubscribe from the list, send mail with an empty subject line and body to: 
list-unsubscribe@xxxxxxxxxxxxxx 
In order to subscribe to the mailing list, simply forward this email to: 
list-subscribe@xxxxxxxxxxxxxx 


==================== 
==================== 

DISCLAIMER: 
The information in this bulletin is provided "AS IS" without warranty of any 
kind. 
In no event shall we be liable for any damages whatsoever including direct, 
indirect, incidental, consequential, loss of business profits or special 
damages.