Leed (Light Feed) Multiple vulnerabilities (see above)

2013.12.22
Risk: High
Local: No
Remote: Yes
CWE: N/A

############################################################# # # COMPASS SECURITY ADVISORY # http://www.csnc.ch/en/downloads/advisories.html # ############################################################# # # Product: Leed (Light Feed) # Vendor: Valentin CARRUESCO aka Idleman # CSNC ID: CSNC-2013-005 (SQL Injection), CSNC-2013-006 (CSRF), CSNC-2013-007 (Authentication Bypass) # CVD ID: CVE-2013-2627 (SQL Injection), CVE-2013-2628 (CSRF), CVE-2013-2629 (Authentication Bypass) # Subject: Multiple vulnerabilities (see above) # Risk: High # Effect: Remotely exploitable # Author: Alexandre Herzog <alexandre.herzog@csnc.ch> # Date: 18.12.2013 # ############################################################# Introduction: ------------- Leed is a lightweight RSS/ATOM aggregator based on PHP. It can be hosted on any server supporting PHP and aims to be an alternative to Google Reader and its substitutes. [1] Technical Description --------------------- 1. SQL injection (CSNC-2013-005 / CVE-2013-2627) The SQL injection is within the ID parameter of leed/action.php?action=removeFolder&id=-1 as user input does not get properly escaped. Escaping is otherwise done consistently across the remaining of the audited code. Exploiting this issue is tricky due to the HTML encoding, but not impossible, e.g. If select @@version returns '5.0.84-log' on your database, CAST(@@version as signed) will return 5 Injection parameter (before encoding) would e.g. be IF(CAST(@@version as signed) in(5),BENCHMARK(2000000,SHA1(0)),-1) This blind SQL will last ~5 seconds on my installation as the condition is true. This way, you could extract information one by one from the mysql tables. 2. Authorization bypasses in action.php (CSNC-2013-007 / CVE-2013-2629) The following actions can be called anonymously, as the $myUser variable isn't verified: - importForm - importFeed - addFavorite - removeFavorite 3. Missing anti cross-site request forgery token (CSNC-2013-006 / CVE-2013-2628) None of the actions done within action.php requires a token to defeat CSRF. This means malicious action can be executed under the identity of a logged in Leed admin if the victim clicks on a malicious link or visits a website under the attacker's control. Workaround / Fix: ----------------- Upgrade to the latest available version of Leed. Timeline: --------- 2013-12-18: Public disclosure date 2013-03-19: GIT commit of the fixes 2013-03-19: Initial vendor response 2013-03-19: Discovery by Alexandre Herzog & initial vendor notification References: ----------- [1] http://projet.idleman.fr/leed/

References:

http://www.csnc.ch/misc/files/advisories/CSNC-2013-005-006-007_Leed_Multiple_vulns.txt
http://seclists.org/bugtraq/2013/Dec/107
http://osvdb.org/101154


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top