SimpleInvoices 2011.1 - Cross-Site-Scripting (XSS) Vulnerabilities - CVE-2012-4932

Overview

SimpleInvoices 2011.1 is vulnerable to Cross-site Scripting (XSS).

Software Description

Simple Invoices is a free, open source, web based invoicing system that you can install on your server/pc or have hosted by one of our services providers.

Vulnerability Overview

The vulnerabilities POC are as follows:

REFLECTIVE CROSS-SITE-SCRIPTING (XSS)

[http://]127.0.0.1/simpleinvoices/index.php?module=invoices&view=manage&having=%3C/script%3E%3Cscript%3Ealert%28%27POC%20XSS%27%29;%3C/script%3E%3Cscript%3E

PERSISTENT CROSS-SITE-SCRIPTING (XSS)

Steps to replicate:

Add User

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=user&view=add

2) Add the following javascript to the Email field:

<script>alert('POC XSS')</script>

3) Click 'Save'

4) Application will redirect to Users page where javascript will execute.

Add Customer

1) Navigate tot he following URL:

http://127.0.0.1/simpleinvoices/index.php?module=customers&view=add

2) Add the following javascript to the Customer Name field:

<script>alert('POC XSS')</script>

3) Fill out the remaining compulsary fields and click 'Save'

4) Application will redirect tot he Customers page and javascript will execute.

5) This action also breaks the application logic in the fact that you cannot delete the created 'User' in the application, deletion must be carried out manually from the database.

Add Biller

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=billers&view=add

2) Add a legitimate Biller Name such as 'Test'

3) Add the following javascript to the 'Street address', 'Street address 2', 'City', 'Zip code', 'State', 'Country', 'Mobile Phone', 'Phone', 'Fax', 'Email', 'PayPal business name', 'PayPal notify url', 'PayPal return url', 'Eway customer ID', 'Custom field 1', 'Custom field 2', 'Custom field 3' and 'Custom field 4' fields:

<script>alert('POC XSS')</script>

4) Click 'Save'

5) Application will redirect to the Billers page and the javascript will execute once.

6) Click the 'View Test' icon and the application will execute the javascript from each of the vulnerable fields, totalling 18 alerts.

Add Invoice

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=invoices&view=itemised

2) Choose the recently created Customer '<script>alert('POC XSS')</script>'

3) Enter any text into the remaining comulsary fields and click 'Save'

3) Click 'Invoices' from sub-menu

4) Javascript will execute in browser.

Process Payment

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=payments&view=process&op=pay_invoice

2) Choose the recently created invoice '<script>alert('POC XSS')</script>'

3) Enter the following into the 'Notes' field:

<script>alert('POC XSS')</script>

4) The application will redirect and the javascript will execute in the browser.

Payment Types

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=payment_types&view=manage

2) Add the following code in the 'Payment type description' field:

<script>alert('POC XSS')</script>

3) Click 'Save'

4) The application will redirect to the 'Payment Types' page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created 'Payment Type' in the application, deletion must be carried out manually from the database.

Invoice Preferences

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=preferences&view=add

2) Add the following code in the 'Description' field:

<script>alert('POC XSS')</script>

3) Enter any text into the remaining comulsary fields and click 'Save'

4) The application will redirect to the 'Invoice Preferences' page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created 'Invoice Preference' in the application, deletion must be carried out manually from the database.

Manage Products

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=products&view=add

2) Add the following code in the 'Description' field:

<script>alert('POC XSS')</script>

3) Enter any text into the remaining comulsary fields and click 'Save'

4) The application will redirect to the 'Manage Products' page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created 'Product' in the application, deletion must be carried out manually from the database.

Tax Rates

1) Navigate to the following URL:

http://127.0.0.1/simpleinvoices/index.php?module=tax_rates&view=add

2) Add the following code in the 'Description' field:

<script>alert('POC XSS')</script>

3) Enter any text into the remaining comulsary fields and click 'Save'

4) The application will redirect to the 'Tax Rates' page and the javascript will execute in the browser

5) This action also breaks the application logic in the fact that you cannot delete the created 'Tax Rate' in the application, deletion must be carried out manually from the database.

Vulnerability Timeline

18-9-12 - Developer contacted

18-9-12 - CVE-2012-4932 reserved

??-10-12 - Developer release of stable-2012-1-CIS3000 - https://github.com/simpleinvoices/simpleinvoices/tree/stable-2012-1-CIS3000

9-12-12 - Mitre advised to close CVE-2012-4932

Why or Why Not, Htpasswd?

What is htpasswd?

htpasswd is HTTP Basic Authentication as defined by RFC 2617.

Why htpasswd?

1.Its quick and easy,

2. It doesnt require any additional authentication systems, AD or LDAP blah blah blah

Why not htpasswd?

1. Unless SSL is used, credentials are communicated between client and server in plain text

2. Credentials are cached until the browser or tab (browser dependant), are closed

Rules!

1. Never use htpasswd or any other basic authentication over a non-ssl connection!

2. Season your passwords with SALT!

3. Check, Double Check and Triple check your file permissions!

How?

~# man htpasswd & ~# man htacess

Two parts to the tale.

1. .htaccess

Four absolute necessary Apache directives are needed in the .htaccess file. The .htaccess file should be stored in the directory you want to secure.

AuthType Basic - This tells Apache that HTTP Basic Authentication is in use.

AuthName -This tells Apache what to display in the password prompt box.

AuthUserFile - This tells Apache where to look for a list of possible user/passwords. Usually called .htpasswd.

Require - This tells Apache what conditions allow entry to the secured directory.

2. .htpasswd

User:Password

So create a .htaccess file in the directory you want to secure:

 mac@pentest:/securedirectory$ sudo nano .htaccess

Add the following to the file:

 AuthType Basic
 AuthName Please enter a username and password
 AuthUserFile {Full server path to the .htpasswd file}

Save the above, and then use the htpasswd command to create your password file. Simply typing the command:

 mac@pentest:/securedirectory$ sudo htpasswd

Will bring up a nice little how-to:

Usage:
 htpasswd [-cmdpsD] passwordfile username
 htpasswd -b[cmdpsD] passwordfile username password

 htpasswd -n[mdps] username
 htpasswd -nb[mdps] username password
 -c  Create a new file.
 -n  Don't update file; display results on stdout.
 -m  Force MD5 encryption of the password.
 -d  Force CRYPT encryption of the password (default).
 -p  Do not encrypt the password (plaintext).
 -s  Force SHA encryption of the password.
 -b  Use the password from the command line rather than prompting for it.
 -D  Delete the specified user.
On Windows, NetWare and TPF systems the '-m' flag is used by default.
On all other systems, the '-p' flag will probably not work.

So do:

 mac@pentest:/securedirectory$ sudo htpasswd -m -c .htpasswd user

And you should be prompted to enter a password for user, 'user', twice.

What did we do?

If all worked out you should have a file that looks like this:

 mac@pentest:/securedirectory$ cat .htpasswd

 user:$apr1$7gWTF4UB$nMtEFqi8mtRRsnhyQp7FJ0

Job done! Navigate to www.whatever.com/securedirectory and if you've followed the above correctly, you should be presented with a login box to authenticate and enter your secure directory!

Two last tips!

Don't use the -b flag as this will take the password from your command and will be recoverable from your bash history! Let bash prompt you for the password as I have done in the tutorial.

Also don't be tempted to use the -s flag to use SHA1 encryption for the password, this doesn't use a salt for the passwords!

ALWAYS SEASON YOUR PASSWORDS WITH SALT!

Apache Web Server Hardening

Turn off the version give-away:

Edit main Apache config file (if your running RHEL/CentOS/Fedora, you know what to do and probably wont be reading this blog post.):

 sudo nano /etc/apache2/apache2.conf

Add or edit the lines:

ServerSignature Off
ServerTokens Prod

Restart Apache

sudo service apache2 restart

Disable SSL2:

sudo nano /etc/apache2/apache2.conf

Add the following lines or edit them if they exist:

SSLProtocol -ALL +SSLv3 +TLSv1

Restart Apache:

sudo service apache2 restart

From another box, test that sh!t:

openssl s_client -ssl2 -connect SERVERNAME:443

If you haven't got openssl installed on your box, jump off a bridge! No, no I'm kiddin'....right?

Disable the kiddy ciphers (weak):

sudo nano /etc/apache2/apache2.conf

Add the following lines or edit them if they exist:

SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM

Restart Apache:

sudo service apache2 restart

Python Google Scraper

Google Scraper

Uses Colorama and XGoogle Python modules:

Colorama - https://pypi.python.org/pypi/colorama

XGoogle - http://www.catonmat.net/blog/python-library-for-google-search/

Use it like this:

python scraper_arg.py {search string}

E.g -

python scraper_arg.py doughnuts

SEARCHING FOR KEYWORDS: doughnuts

BBC - Food - Recipes : Doughnuts

2 hrs 10 mins

http://www.bbc.co.uk/food/recipes/doughnuts_89027

Download

Tesco DPA Fail

So I took a not-so-tech-savvy relative to a Tesco store in Gloucestershire yesterday evening to purchase a mobile phone contract. During the sign-up process there was a separate fail on Tesco's internal site, the relative I was helping happened to be a widower and as such in the 'Marital Status' section of the form only contained, 'Married', 'Divorced', 'Single' or 'Other'. My relative chose 'Other' being the most fitting and we progressed with the application. During the confirmation a referral was requested and the helpful Tesco employee called the call centre who requested that the 'Martial Status' option was changed to 'Married' to progress the application, my relative said that she would prefer to be listed as 'Single' and this duly broke the web form and the application had to be completed again.

It was at this stage that I spotted Tesco's Data Protection Act (DPA) failure. When the helpful employee clicked in the Drivers License and Passport Number field, used for identification purposes on credit agreements, hundreds of previous customer Drivers License numbers and Passport numbers had been cached in the form fields! I could not believe my eyes. I was actually speechless and for those of you who know me personally, im rarely lost for words :-S

I explained to the helpful employee how bad this was and she 'kind of' understood but didn't really seem concerned. Now I know that its not a great concern to a helpful young Tesco employee who was waiting for her shift to finish on a Saturday night so she could go out and enjoy the evening with her friends, but Tesco shame on you! Have you not learnt anything from the last berating you got from the IT Security industry - ahemm - http://www.troyhunt.com/2012/07/lessons-in-website-security-anti.html and - http://www.bbc.co.uk/news/technology-19316825

Now I do feel that I am in a position of responsibility and have sought advice, I have checked the Information Commissioners website who say that I should 'First, tell the organisation concerned and give it an opportunity to put things right.' - as I right this article Tesco have just contacted me on Twitter to ask how they can help.... Ill keep you updated.

Powershell port scanner

OK; this code is shocking, I wouldn't even bother using it, I'm only putting it here so I don't lose it ;)

echo "      ##############################################
      #############Simple port scanner##############
      ##############################################
      ################### Usage ####################
      #.\portscanner   #
      ##.\portscanner bing.com multi 0 65535 #######
      ###########.\portscanner bing.com 445 ########
      ##############################################"


### arguments

$device = $args[0]
$port = $args[1]
$start = $args[2]
$stop = $args[3]

### function ping device

function pingdevice{
    if(test-connection $device -erroraction silentlycontinue){
        write-output "$device is up"
    }else{
        write-output "$device is down"
        exit
    }
}

### function check ports

function checkports{
    if ($port -match "multi"){ ### checks port range
        for ($counter=$start; $counter -le $stop; $counter++)
        {
            write-output "testing port $counter on $device"
            $porttest = new-object Net.Sockets.TcpClient
            try{
                $connect = $porttest.connect($device,$counter)
                write-output "$counter is open"
            }catch{
                write-output "$counter is closed"
            
            }                                             
    }
    }else{ ## checks a single port
        write-output "testing port $port on $device"
        $porttest = new-object Net.Sockets.TcpClient
        try{
            $connect = $porttest.connect($device,$port)
            write-output "$port is open"
        }catch{
            write-output "$port is closed"
        }
    }
}                                                 
# run out functions
pingdevice
checkports