exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Open-AudIT SQL Injection / Cross Site Scripting / Local File Inclusion

Open-AudIT SQL Injection / Cross Site Scripting / Local File Inclusion
Posted May 21, 2010
Authored by Sebastien Duquette

Open-AudIT suffers from lack of authentication, cross site scripting, local file inclusion and remote SQL injection vulnerabilities.

tags | exploit, remote, local, vulnerability, xss, sql injection, file inclusion
SHA-256 | ada5689bf8a196f63f76812397276af55dd7c49e5e7a79928d91220f8d891627

Open-AudIT SQL Injection / Cross Site Scripting / Local File Inclusion

Change Mirror Download


GVI-2010-02 : Multiple vulnerabilities in Open-AudIT
====================================================


1 Overview
----------

Excerpt from https://www.open-audit.org :
"Open-AudIT is an application to tell you exactly what is on your network, how
it is configured and when it changes. Open-AudIT will run on Windows and Linux
systems. Essentially, Open-AudIT is a database of information, that can be
queried via a web interface."

2 Description
-------------

Multiple security issues were discovered which can be categorized as :

- Lack of Authentication
- SQL Injection
- Cross-Site Scripting
- Local File Include

3 Details
---------

Product : Open-AudiT
Versions : 20081013, 20091223-RC
Vulnerability Type : authentication, SQLi, XSS, LFI
Discovered by : Sébastien Duquette (virtualguardian.ca)

Original Advisory :
https://www.gardienvirtuel.ca/wp-content/uploads/2010/05/GVI-2010-02-EN.txt

4 Timeline
----------

Patches were sent to the vendor. The vendor said that they are focussing on
version 2 of the product. Patches are not applied at disclosure date.

Vendor informed : December 12th, 2009
Vendor Response : December 13th, 2009
Update request : January 14th, 2010
Vendor response : January 14th, 2010
Update request : February 19th, 2010
Vendor response : February 21th, 2010
Patches sent : March 29th, 2010
Public Disclosure : May 20th, 2010

5 Analysis
----------

5.1 Lack of Authentication
--------------------------

When the "Use Passwords" option is activated, Open-AudIT requires a user and
password to be provided to access the web administrative interface. However,
several scripts will not properly verify authentication before accepting
requests.

This allows an attacker to add or remove information in the database concerning
the audited systems, obtain or modify system configurations like SMTP or LDAP
server addresses etc.

Also, the "backup" folder has user access rights by default, allowing anyone to
grab any backup contained in the folder.

Please note that this problem is not fixed by the patch provided with this
advisory. To perform the inventorying on machines, Open-AudIT uses vbscript on
Windows and bash scripts Linux and sends the data back via HTTP POST requests.
The scripts currently do not support HTTP authentication.

------------------------------
| Affected scripts |
|------------------------------|
| upgrade.php |
| admin_config_data.php |
| delete_system.php |
| admin_delete_all_systems.php |
| admin_nmap_input.php |
| admin_pc_add_2.php |
| delete_other.php |
| delete_missed_audit.php |
| ldap_audit_script.php |
| ldap_login.php |
| ldap_logout.php |
| list.php |
| list_export.php |
| system_post.php |
| system_export.php |
| php.php |
------------------------------


5.1.1 Proof of concept
----------------------

Obtain the address of the LDAP server
admin_config_data.php?sub=f1

Delete a system by it's ID
delete_system.php?pc=<ID>

5.2 SQL Injection
-----------------

Most SQL queries in the application do not sanitize the parameters. As an
example, here is an excerpt from the system_post.php file :

$sql = "UPDATE other SET other_network_name = '" .
$_REQUEST['other_network_name'] . "',";

Please refer to the provided patch for the complete list of affected queries.

5.2.1 Proof of concept
----------------------

This request will output the name of the mysql user and current database
admin_config_data.php?sub=f8&ldap_path_id=1%20UNION%20SELECT%20user%28%29,
%20database%28%29

This request will return a text file with the list of all audited systems
list_export.php?filename=export&sql=SELECT%2B%252A%2BFROM%2B%2560system

5.3 Cross-Site Scripting
------------------------

Some instances of Cross-Site scripting were found in Open-AudIT. Below is a
table summarizing the affected variables.

------------------------------
| Script | Variable |
------------------------------
| include_lang.php | language |
| list.php | view |
------------------------------

5.3.1 Proof of concept
----------------------

list.php?view=%3Cscript%3Ealert('XSS')%3B%3C%2Fscript%3E

5.4 Local File Include
----------------------

The include_lang.php script is vulnerable to local file include. Let's take a
look at the code :

<?php
if(!isset($language) or $language=="") $GLOBALS["language"]="en";
$language_file="./lang/".$GLOBALS["language"].".inc";
if(is_file($language_file)){
include($language_file);
}else{
....

If we can somehow manage to modify the language value, a local file include
would be possible by using a directory traversal. It so happens that the
setup.php script is not disabled or deleted once the installation is completed
and allows an unauthenticated user to modify the language value. See the proof
of concept below.

5.4.1 Proof of concept
----------------------

Create a file named /tmp/test containing some php code. Send a POST request to
setup.php with the following parameters :

- language = %2f..%2f..%2f..%2f..%2f..%2f..%2ftmp%2ftest
- step = 2

The script will then be included on pretty much every page.

Solution
--------

The flaws disclosed in this advisory are unpatched at the day of the release.
We provide a patch against the latest version of the software. Please note that
this patch was not extensively tested and does not fix all the issues. It is
provided solely as a reference.

Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    69 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close