#232 Severe and numerous security vulnerabilities

[Anonymous]

Hi,

First of all. Thank you for this software. It looks great and contains great functionality. However, there's a problem. It's so full of security vulnerabilities ! And serious ones too. To everyone using this software, keep it really well segmented and off limits to non-essential staff. Do NOT expose an instance of this software to the Internet.

A simple web app scanner found SQL injections in the following:
/site/admin/customFieldsEditResult.php [Comment parameter]
/site/admin/customFieldsEditResult.php [fieldDefault parameter]
/site/admin/logDetail.php [id parameter]
/site/admin/manageSubnetEdit.php [sectionId parameter]
/site/tools/userMenuSelfMod.php [email parameter]
/site/tools/userMenuSelfMod.php [lang parameter]
/site/tools/userMenuSelfMod.php [real_name parameter]
/site/tools/userMenuSelfMod.php [userId parameter]
/site/admin/customFieldsEditResult.php [action parameter]
/site/admin/customFieldsEditResult.php [fieldType parameter]
/site/admin/customFieldsEditResult.php [name of an arbitrarily supplied body parameter]
/site/admin/customFieldsEditResult.php [oldname parameter]
/site/admin/customFieldsEditResult.php [table parameter]
/site/admin/filterIPFieldsResult.php [port parameter]
/site/admin/logResult.php [lastId parameter]
/site/admin/manageDevicesEditResult.php [action parameter]
/site/admin/manageDevicesEditResult.php [name of an arbitrarily supplied body parameter]
/site/admin/manageDevicesEditResult.php [type parameter]
/site/admin/manageSubnetEdit.php [subnetId parameter]
/site/admin/manageSubnetEditResult.php [action parameter]
/site/admin/manageSubnetEditResult.php [allowRequests parameter]
/site/admin/manageSubnetEditResult.php [location parameter]
/site/admin/manageSubnetEditResult.php [masterSubnetId parameter]
/site/admin/manageSubnetEditResult.php [name of an arbitrarily supplied body parameter]
/site/admin/manageSubnetEditResult.php [sectionId parameter]
/site/admin/manageSubnetEditResult.php [showName parameter]
/site/admin/manageSubnetEditResult.php [subnetId parameter]
/site/admin/manageSubnetEditResult.php [vlanId parameter]
/site/admin/manageSubnetEditResult.php [vrfId parameter]
/site/admin/manageSubnetEditResult.php [vrfIdOld parameter]
/site/admin/manageSubnetPermissionsSubmit.php [subnetId parameter]
/site/admin/manageSubnetShowPermissions.php [subnetId parameter]
/site/admin/manageVLANEdit.php [vlanId parameter]
/site/admin/manageVLANEditResult.php [action parameter]
/site/admin/manageVLANEditResult.php [name of an arbitrarily supplied body parameter]
/site/admin/searchReplaceResult.php [field parameter]
/site/admin/searchReplaceResult.php [replace parameter]
/site/admin/searchReplaceResult.php [search parameter]
/site/admin/settingsEdit.php [defaultLang parameter]
/site/admin/settingsEdit.php [dhcpCompress parameter]
/site/admin/settingsEdit.php [domainAuth parameter]
/site/admin/settingsEdit.php [enableChangelog parameter]
/site/admin/settingsEdit.php [name of an arbitrarily supplied body parameter]
/site/admin/settingsEdit.php [printLimit parameter]
/site/admin/settingsEdit.php [scanMaxThreads parameter]
/site/admin/settingsEdit.php [scanPingPath parameter]
/site/admin/settingsEdit.php [siteAdminMail parameter]
/site/admin/settingsEdit.php [siteAdminName parameter]
/site/admin/settingsEdit.php [siteDomain parameter]
/site/admin/settingsEdit.php [siteTitle parameter]
/site/admin/settingsEdit.php [siteURL parameter]
/site/admin/settingsEdit.php [subnetOrdering parameter]
/site/admin/settingsEdit.php [visualLimit parameter]
/site/admin/settingsEdit.php [vlanDuplicate parameter]
/site/tools/userMenuSelfMod.php [name of an arbitrarily supplied body parameter]
/site/admin/manageDevicesEditResult.php [User-Agent HTTP header]
/site/admin/widgetEdit.php [name of an arbitrarily supplied URL parameter]

I would suggest rewriting the entire SQL layer with something using parameterized queries, like an ORM.

There's a bunch of reflected cross site scripting vulnerabilities:
/site/admin/customFieldsEdit.php [action parameter]
/site/admin/customFieldsEdit.php [table parameter]
/site/admin/customFieldsEditResult.php [action parameter]
/site/admin/customFieldsEditResult.php [fieldType parameter]
/site/admin/customFieldsEditResult.php [table parameter]
/site/admin/instructionsPreview.php [instructions parameter]
/site/admin/manageDevicesEdit.php [action parameter]
/site/admin/manageDevicesEditResult.php [action parameter]
/site/admin/manageSubnetEdit.php [action parameter]
/site/admin/manageSubnetEdit.php [sectionId parameter]
/site/admin/manageSubnetEdit.php [subnetId parameter]
/site/admin/manageSubnetShowPermissions.php [subnetId parameter]
/site/admin/manageVLANEdit.php [action parameter]
/site/admin/manageVLANEditResult.php [action parameter]
/site/admin/widgetEdit.php [action parameter]

There's also a stored XSS in the subnet description field as seen in:
/site/admin/manageSubnetEditResult.php [description parameter]

There's command injection vulnerabilities in the scan functions:
/site/ipaddr/scan/subnetScanDiscoveryPing.php [subnetId parameter]

For example, the following works to inject:
subnetId=6'; touch /tmp/pwnie;#

... There's some work to do. :)

Kind regards,
William

[Miha Petkovsek]

Hi William, thanks for noticing and your report. Will see what I can do, I would love to move to prepared MySQLi statements, am evaluating this as an option, or at least to escape user input throughout the app.

Few notes:

Correct me if I am wrong, but users have to be actually logged in to system for this exploits to work and have proper permissions, for example users not having administrative privileges will not be able to access anything under /site/admin/*.

This tool was never meant to be available on internet, as it is kind of internal tool. This is also clearly stated in INSTALL file from beginning but I guess nobody reads those:

Since this is beta version security aspects were not taken into consideration, therefore DO NOT put this page to internet, it is suitable only for intranet.

Will see what I can do in terms of securing this.

brm

[Miha Petkovsek]

Hi, I implemented following fixes in latest dev relese:

Security Fixes:
+ Fixed known command injection vulnerabilities in the scan functions;
+ Fixed known SQL injection vulnerabilities;
+ Fixed known XSS vulnerabilities;
+ Fixed known action XSS events;

would you mind running tests again to see if I missed something?

brm

[Miha Petkovsek]

And follwing:

+ Added option to force user to change pass after first login;
+ Admin password must be changed after installation;
+ Added auth block for 5 minutes after 5x unsuccesfull login to prevent brute-force attacks;

Also all GET parameters are sanitized by default.

[Miha Petkovsek]

So I tested latest development release with nessus 6 webapp scanner and automatic login to Admin user enabled. Attached are the results.

brm

[Miha Petkovsek]

+ Moved to crypt method for storing password in database with salting;

[Anonymous]

Thank you for caring about security, it makes me want to use this even more now.
Just found it today and am going to suggest using within the business.
Great work, and much appreciated.
Mark