CXSecurity WLB-2015040034 6kbbs v8.0 Multiple CSRF (Cross-Site Request Forgery) Web Security Vulnerabilities
Exploit Title: 6kbbs Multiple CSRF (Cross-Site Request Forgery) Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: April 02, 2015
Latest Update: April 02, 2015
Vulnerability Type: Cross-Site Request Forgery (CSRF) [CWE-352]
CVE Reference: *
CXSecurity Reference: WLB-2015040034
Impact CVSS Severity (version 2.0):
CVSS v2 Base Score: 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P) (legend)
Impact Subscore: 6.4
Exploitability Subscore: 8.6
CVSS Version 2 Metrics:
Access Vector: Network exploitable; Victim must voluntarily interact with attack mechanism
Access Complexity: Medium
Authentication: Not required to exploit
Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service
Writer and Reporter: Jing
Wang, Division of Mathematical Sciences (MAS), School of Physical and
Mathematical Sciences (SPMS), Nanyang Technological University (NTU),
Singapore. (@justqdjing)
Suggestion Details:
(1) Vendor & Product Description:
Vendor:
6kbbs
Product & Vulnerable Versions:
6kbbs
v7.1
v8.0
Vendor URL & download:
6kbbs can be gain from here,
http://www.6kbbs.com/download.html
http://en.sourceforge.jp/projects/sfnet_buzhang/downloads/6kbbs.zip/
Product Introduction Overview:
"6kbbs
V8.0 is a PHP + MySQL built using high-performance forum, has the code
simple, easy to use, powerful, fast and so on. It is an excellent
community forum program. The program is simple but not simple; fast,
small; Interface generous and good scalability; functional and practical
pursuing superior performance, good interface, the user's preferred
utility functions."
"1,
using XHTML + CSS architecture, so that the structure of the page,
saving transmission static page code, but also easy to modify the
interface, more in line with WEB standards; 2, the Forum adopted
Cookies, Session, Application and other technical data cache on the
forum, reducing access to the database to improve the performance of the
Forum. Can carry more users simultaneously access; 3, the data points
table function, reduce the burden on the amount of data when accessing
the database; 4, support for multi-skin style switching function; 5, the
use of RSS technology to support subscriptions forum posts, recent
posts, user's posts; 6, the display frame mode + tablet mode, the user
can choose according to their own preferences to; 7. forum page
optimization keyword search, so the forum more easily indexed by search
engines; 8, extension, for our friends to provide a forum for a broad
expansion of space services; 9, webmasters can add different top and
bottom of the ad, depending on the layout; 10, post using HTML + UBB way
the two editors, mutual conversion, compatible with each other; ..."
(2) Vulnerability Details:
6kbbs
web application has a computer cyber security bug problem. It can be
exploited by CSRF (Cross-Site Request Forgery) attacks. This may allow
an attacker to trick the victim into clicking on the image to take
advantage of the trust relationship between the authenticated victim and
the application. Such an attack could trick the victim into creating
files that may then be called via a separate CSRF attack or possibly
other means, and executed in the context of their session with the
application, without further prompting or verification.
Several
6kbbs products 0-day vulnerabilities have been found by some other bug
hunter researchers before. 6kbbs has patched some of them. Open Sourced
Vulnerability Database (OSVDB) is an independent and open-sourced
database. The goal of the project is to provide accurate, detailed,
current, and unbiased technical information on security vulnerabilities.
The project promotes greater, open collaboration between companies and
individuals. It has published suggestions, advisories, solutions details
related to csrf vulnerabilities.
(2.1) The
first code programming flaw occurs at "/portalchannel_ajax.php?" page
with "&id" and &code" parameters in HTTP $POST.
(2.2) The second code programming flaw occurs at "/admin.php?" page with "&fileids" parameter in HTTP $POST.
Related Articles:
http://cxsecurity.com/issue/WLB-2015040034
http://lists.openwall.net/full-disclosure/2015/04/05/7
http://www.intelligentexploit.com/view-details.html?id=21071
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1819
https://www.mail-archive.com/fulldisclosure@seclists.org/msg01902.html
http://seclists.org/fulldisclosure/2015/Apr/13
http://www.tetraph.com/security/csrf-vulnerability/6kbbs-v8-0-csrf
http://essayjeans.blog.163.com/blog/static/237173074201551435316925/
https://itinfotechnology.wordpress.com/2015/04/14/6kbbs-crsf/
http://frenchairing.blogspot.fr/2015/06/6kbbs-crsf.html
http://tetraph.blog.163.com/blog/static/234603051201551444917365/
http://diebiyi.com/articles/security/6kbbs-v8-0-csrf
http://securityrelated.blogspot.com/2015/04/6kbbs-v80-multiple-csrf-cross-site.html
https://hackertopic.wordpress.com/2015/04/02/6kbbs-v8-0-multiple-csrf
http://www.inzeed.com/kaleidoscope/computer-web-security/6kbbs-v8-0-csrf
6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities
Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities
Vendor: 6kbbs
Product: 6kbbs
Vulnerable Versions: v7.1 v8.0
Tested Version: v7.1 v8.0
Advisory Publication: June 08, 2015
Latest Update: June 10, 2015
Vulnerability Type: Inadequate Encryption Strength [CWE-326]
CVE Reference: *
CVSS Severity (version 2.0):
Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)
Recommendation Details:
(1) Vendor & Product Description:
Vendor:
6kbbs
Product & Vulnerable Versions:
6kbbs
v7.1
v8.0
Vendor URL & download:
6kbbs can be gain from here,
http://www.6kbbs.com/download.html
Product Introduction Overview:
"6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user's preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common."
"(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers."
(2) Vulnerability Details:
6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.
Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. "The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers' right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!" A great many of the web securities have been published here.
Source Code:
<?php
if(empty($row)){
$extrow=$db->row_select_one("users","username='{$username}'");
if(!empty($extrow) && !empty($extrow['salt'])){
if(md5(md5($userpass).$extrow['salt'])==$extrow['userpass']){
$row=$extrow;
$new_row["userpass"]=$userpass_encrypt;
$new_row["salt"]="";
$db->row_update("users",$new_row,"id={$extrow['id']}");
}
}
}
?>
Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16
We can see that "userpass" stored in cookie was encrypted using "$userpass" user password directly. And there is no "HttpOnly" attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.
"The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a "by attribution" RSA license." (Wikipedia)
References:
http://seclists.org/fulldisclosure/2015/Jun/34
http://lists.openwall.net/full-disclosure/2015/06/11/6
http://static-173-79-223-25.washdc.fios.verizon.net/?l=full-disclosure
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg02160.html
https://packetstormsecurity.com/files/132270/6kbbs-7.1-8.0-Weak-Cryptography.html
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/2092
http://tetraph.blog.163.com/blog/static/234603051201551415853846/#
http://essaybeans.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://mathfas.wordpress.com/2015/06/14/6kbbs-weak-encryption/
http://tetraph.com/security/weak-encryption/6kbbs-v8-0-weak-encryption/
http://securityrelated.blogspot.com/2015/06/6kbbs-v80-weak-encryption-cryptography.html
https://vulnerabilitypost.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://www.inzeed.com/kaleidoscope/computer-security/6kbbs-v8-0-weak-encryption/
