Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:30207
HistoryJan 09, 2014 - 12:00 a.m.

[CVE-2013-2627, CVE-2013-2628, CVE-2013-2629] Leed (Light Feed) - Multiple vulnerabilities

2014-01-0900:00:00
vulners.com
43
JSON

#############################################################

COMPASS SECURITY ADVISORY

http://www.csnc.ch/en/downloads/advisories.html

#############################################################

Product: Leed (Light Feed)

Vendor: Valentin CARRUESCO aka Idleman

CSNC ID: CSNC-2013-005 (SQL Injection), CSNC-2013-006 (CSRF), CSNC-2013-007 (Authentication Bypass)

CVD ID: CVE-2013-2627 (SQL Injection), CVE-2013-2628 (CSRF), CVE-2013-2629 (Authentication Bypass)

Subject: Multiple vulnerabilities (see above)

Risk: High

Effect: Remotely exploitable

Author: Alexandre Herzog <[email protected]>

Date: 18.12.2013

#############################################################

Introduction:

Leed is a lightweight RSS/ATOM aggregator based on PHP. It can be hosted
on any server supporting PHP and aims to be an alternative to Google
Reader and its substitutes. [1]

Technical Description

  1. SQL injection (CSNC-2013-005 / CVE-2013-2627)
    The SQL injection is within the ID parameter of
    leed/action.php?action=removeFolder&id=-1 as user input does not get
    properly escaped. Escaping is otherwise done consistently across the
    remaining of the audited code. Exploiting this issue is tricky due to
    the HTML encoding, but not impossible, e.g.
    If select @@version returns '5.0.84-log' on your database,
    CAST(@@version as signed) will return 5
    Injection parameter (before encoding) would e.g. be
    IF(CAST(@@version as signed) in(5),BENCHMARK(2000000,SHA1(0)),-1)
    This blind SQL will last ~5 seconds on my installation as the condition
    is true. This way, you could extract information one by one from the
    mysql tables.

  2. Authorization bypasses in action.php (CSNC-2013-007 / CVE-2013-2629)
    The following actions can be called anonymously, as the $myUser variable
    isn't verified:

  • importForm
  • importFeed
  • addFavorite
  • removeFavorite
  1. Missing anti cross-site request forgery token (CSNC-2013-006 / CVE-2013-2628)
    None of the actions done within action.php requires a token to defeat CSRF.
    This means malicious action can be executed under the identity of a logged
    in Leed admin if the victim clicks on a malicious link or visits a website
    under the attacker's control.

Workaround / Fix:

Upgrade to the latest available version of Leed.

Timeline:

2013-12-18: Public disclosure date
2013-03-19: GIT commit of the fixes
2013-03-19: Initial vendor response
2013-03-19: Discovery by Alexandre Herzog & initial vendor notification

References:

[1] http://projet.idleman.fr/leed/


Alexandre Herzog, IT Security Analyst, Compass Security AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
Tel: +41 55 214 41 66
http://www.csnc.ch/

Related

packetstorm 1
cve 3
prion 3
securityvulns 1
packetstorm
packetstorm
Leed Authentication Bypass, SQL Injection, CSRF
2013-12-21 00:00:00
cve
cve
CVE-2013-2627
2013-12-21 00:55:00
CVE-2013-2629
2013-12-23 20:55:00
CVE-2013-2628
2013-12-21 00:55:00
prion
prion
Authorization
2013-12-23 20:55:00
Cross site request forgery (csrf)
2013-12-21 00:55:00
Sql injection
2013-12-21 00:55:00
securityvulns
securityvulns
Web applications security vulnerabilities summary &#40;PHP, ASP, JSP, CGI, Perl&#41;
2014-01-09 00:00:00
JSON
Related for SECURITYVULNS:DOC:30207
packetstorm1cve3prion3securityvulns1