To whom it may concern: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): Timeline: Aug 27th 2013 Initial email containing the findings listed below including a note that there more vulnerabilities which just need to be verified. (Send to mike@fatfreecrm.com and security@fatfreecrm.com) Sep 16th 2013 No response so far (not even a bounce of the initial mail), re-send email of Aug. 27th. Dec 20th 2013 Still no response. Dec 24th 2013 Public Disclosure. Hint: Actually the codebase is full of Ruby on Rails worst practices. You might want to use it as a sample "Hack Me" application. --- 1. Known Session Secret In config/initialiers/secret_token.rb a static secret token is defined, with the knowledge of this token an attacker is able to execute arbitrary Ruby code server side. 2. Lack of CSRF Protection In app/controllers/application_controller.rb the protect_from_forgery statement is missing, therefore Fat Free CRM is vulnerable to CSRF attacks. 3. Default to_json for models The users controller renders JSON requests with a full JSON object: For instance when being logged in to the demo app and requesting http://demo.fatfreecrm.com/users/1.json, the response would be { "user": { "admin": true, "aim": "", "alt_email": "", "company": "example", "created_at": "2012-02-12T02:00:00+02:00", "current_login_at": "2013-08-26T22:12:05+03:00", "current_login_ip": "61.143.60.146", "deleted_at": null, "email": "aaron@example.com", "first_name": "Aaron", "google": "", "id": 1, "last_login_at": "2013-08-24T22:20:06+03:00", "last_login_ip": "122.173.185.99", "last_name": "Assembler", "last_request_at": "2013-08-26T22:13:35+03:00", "login_count": 481, "mobile": "(800)555-1211", "password_hash": "56d91c9f1a9c549304768982fd4e2d8bc2700b403b4524c0f14136dbbe2ce4cd923156ad69f9acce8305dba4e63faa884e61fb7a256cf8f5fc7c2ce176e68e8f", "password_salt": "ce6e0200c96f4dd326b91f3967115a31421a0e7dcddc9ffb63a77f598a9fcb5326fe532dbd9836a2446e46840d398fa32c81f8f4da1a0fcfe931989e9639a013", "perishable_token": "NE0n6wUCumVNdQ24ahRu", "persistence_token": "d7cdeffd3625f7cb265b21126b85da7c930d47c4a708365c20eb857560055a6b57c9775becb8a957dfdb46df8aee17eb120a011b380e9cc0882f9dfaa2b7ba26", "phone": "(800)555-1210", "single_access_token": "TarXlrOPfaokNOzls2U8", "skype": "ranzitreddy", "suspended_at": null, "title": "VP of Sales", "updated_at": "2013-08-26T22:13:35+03:00", "username": "aaron", "yahoo": "" } } A custom to_json method which sanitizes the output should be created. 4. Multiple SQL Injections In app/controllers/home_controller.rb: def timeline unless params[:type].empty? model = params[:type].camelize.constantize item = model.find(params[:id]) item.update_attribute(:state, params[:state]) else comments, emails = params[:id].split("+") Comment.update_all("state = '#{params[:state]}'", "id IN (#{comments})") unless comments.blank? Email.update_all("state = '#{params[:state]}'", "id IN (#{emails})") unless emails.blank? end render :nothing => true end Here params[:state], comments and emails are attacker controlled values which go directly into SQL statements. Therefore this piece of code exposes a SQL Injection vulnerability. --- Static URL of this text: http://www.phenoelit.org/stuff/ffcrm.txt Happy Holidays, joernchen -- joernchen ~ Phenoelit <joernchen@phenoelit.de> ~ C776 3F67 7B95 03BF 5344 http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC