|
Full Disclosure
mailing list archives
Happy Holidays / Xmas Advisory
From: joernchen <joernchen () phenoelit de>
Date: Tue, 24 Dec 2013 11:26:15 +0100
To whom it may concern:
A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/):
Timeline:
Aug 27th 2013 Initial email containing the findings listed below
including a note that there more vulnerabilities
which just need to be verified. (Send to
mike () fatfreecrm com and security () fatfreecrm com)
Sep 16th 2013 No response so far (not even a bounce of the initial
mail), re-send email of Aug. 27th.
Dec 20th 2013 Still no response.
Dec 24th 2013 Public Disclosure.
Hint: Actually the codebase is full of Ruby on Rails worst practices.
You might want to use it as a sample "Hack Me" application.
---
1. Known Session Secret
In config/initialiers/secret_token.rb a static secret token is defined,
with the knowledge of this token an attacker is able to execute
arbitrary Ruby code server side.
2. Lack of CSRF Protection
In app/controllers/application_controller.rb the protect_from_forgery
statement is missing, therefore Fat Free CRM is vulnerable to CSRF
attacks.
3. Default to_json for models
The users controller renders JSON requests with a full JSON object:
For instance when being logged in to the demo app and requesting
http://demo.fatfreecrm.com/users/1.json, the response would be
{
"user": {
"admin": true,
"aim": "",
"alt_email": "",
"company": "example",
"created_at": "2012-02-12T02:00:00+02:00",
"current_login_at": "2013-08-26T22:12:05+03:00",
"current_login_ip": "61.143.60.146",
"deleted_at": null,
"email": "aaron () example com",
"first_name": "Aaron",
"google": "",
"id": 1,
"last_login_at": "2013-08-24T22:20:06+03:00",
"last_login_ip": "122.173.185.99",
"last_name": "Assembler",
"last_request_at": "2013-08-26T22:13:35+03:00",
"login_count": 481,
"mobile": "(800)555-1211",
"password_hash":
"56d91c9f1a9c549304768982fd4e2d8bc2700b403b4524c0f14136dbbe2ce4cd923156ad69f9acce8305dba4e63faa884e61fb7a256cf8f5fc7c2ce176e68e8f",
"password_salt":
"ce6e0200c96f4dd326b91f3967115a31421a0e7dcddc9ffb63a77f598a9fcb5326fe532dbd9836a2446e46840d398fa32c81f8f4da1a0fcfe931989e9639a013",
"perishable_token": "NE0n6wUCumVNdQ24ahRu",
"persistence_token":
"d7cdeffd3625f7cb265b21126b85da7c930d47c4a708365c20eb857560055a6b57c9775becb8a957dfdb46df8aee17eb120a011b380e9cc0882f9dfaa2b7ba26",
"phone": "(800)555-1210",
"single_access_token": "TarXlrOPfaokNOzls2U8",
"skype": "ranzitreddy",
"suspended_at": null,
"title": "VP of Sales",
"updated_at": "2013-08-26T22:13:35+03:00",
"username": "aaron",
"yahoo": ""
}
}
A custom to_json method which sanitizes the output should be created.
4. Multiple SQL Injections
In app/controllers/home_controller.rb:
def timeline
unless params[:type].empty?
model = params[:type].camelize.constantize
item = model.find(params[:id])
item.update_attribute(:state, params[:state])
else
comments, emails = params[:id].split("+")
Comment.update_all("state = '#{params[:state]}'", "id IN
(#{comments})") unless comments.blank?
Email.update_all("state = '#{params[:state]}'", "id IN
(#{emails})") unless emails.blank?
end
render :nothing => true
end
Here params[:state], comments and emails are attacker controlled values
which go directly into SQL statements. Therefore this piece of code
exposes a SQL Injection vulnerability.
---
Static URL of this text:
http://www.phenoelit.org/stuff/ffcrm.txt
Happy Holidays,
joernchen
--
joernchen ~ Phenoelit
<joernchen () phenoelit de> ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 By Date 
By Thread
Current thread:
- Happy Holidays / Xmas Advisory joernchen (Dec 24)
|
