Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

6kbbs_1

 

Bugtraq ID 75176 – 6kbbs v8.0 Weak Encryption Cryptography Security Vulnerabilities

 

Exploit Title: 6kbbs Weak Encryption Web Security Vulnerabilities

Vendor: 6kbbs

Product: 6kbbs

Vulnerable Versions: v7.1 v8.0

Tested Version: v7.1 v8.0

Advisory Publication: June 08, 2015

Latest Update: June 10, 2015

Vulnerability Type: Inadequate Encryption Strength [CWE-326]

CVE Reference: *

CVSS Severity (version 2.0):

Discover and Reporter: Wang Jing [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)

 

 

 

Recommendation Details:



(1) Vendor & Product Description:

Vendor:

6kbbs

 

Product & Vulnerable Versions:

6kbbs

v7.1

v8.0

 

Vendor URL & download:

6kbbs can be gain from here,
http://www.6kbbs.com/download.html

 

Product Introduction Overview:

“6kbbs V8.0 is a PHP + MySQL built using high-performance forum, has the code simple, easy to use, powerful, fast and so on. It is an excellent community forum program. The program is simple but not simple; fast, small; Interface generous and good scalability; functional and practical pursuing superior performance, good interface, the user’s preferred utility functions. Forum Technical realization (a) interface : using XHTML + CSS structure, so the structure of the page , easy to modify the interface ; save the transmission static page code , greatly reducing the amount of data transmitted over the network ; improve the interface scalability , more in line with WEB standards, support Internet Explorer, FireFox, Opera and other major browsers. (b) Program : The ASP + ACCESS mature technology , the installation process is extremely simple , the environment is also very common.”

 

“(1) PHP version : (a) 6kbbs V8.0 start using PHP + MySQL architecture. (b) Currently ( July 2010 ) is still in the testing phase , 6kbbs V8.0 is the latest official release. (2) ASP Version: 6kbbs (6k Forum) is an excellent community forum process . The program is simple but not simple ; fast , small ; interface generous and good scalability ; functional and practical . pursue superiority , good interface , practical functions of choice for subscribers.”

 

 

 

(2) Vulnerability Details:

 

6kbbs web application has a computer security problem. It can be exploited by weak encryption attacks. The software stores or transmits sensitive data using an encryption scheme that is theoretically sound, but is not strong enough for the level of protection required. A weak encryption scheme can be subjected to brute force attacks that have a reasonable chance of succeeding using current attack methods and resources.

 

Several 6kbbs products 0-day web cyber bugs have been found by some other bug hunter researchers before. 6kbbs has patched some of them. “The Full Disclosure mailing list is a public forum for detailed discussion of vulnerabilities and exploitation techniques, as well as tools, papers, news, and events of interest to the community. FD differs from other security lists in its open nature and support for researchers’ right to decide how to disclose their own discovered bugs. The full disclosure movement has been credited with forcing vendors to better secure their products and to publicly acknowledge and fix flaws rather than hide them. Vendor legal intimidation and censorship attempts are not tolerated here!” A great many of the web securities have been published here.

 

Source Code:

<?php

if(empty($row)){

$extrow=$db->row_select_one(“users”,”username='{$username}'”);

if(!empty($extrow) && !empty($extrow[‘salt’])){

if(md5(md5($userpass).$extrow[‘salt’])==$extrow[‘userpass’]){

$row=$extrow;

$new_row[“userpass”]=$userpass_encrypt;

$new_row[“salt”]=””;

$db->row_update(“users”,$new_row,”id={$extrow[‘id’]}”);

}

}

}

?>

 

 

Source Code From:
http://code.google.com/p/6kbbs/source/browse/trunk/convert/discuz72/loginext.php?r=16

 

We can see that “userpass” stored in cookie was encrypted using “$userpass” user password directly. And there is no “HttpOnly” attribute at all. Since md5 is used for the encryption, it is easy for hackers to break the encrypted message.

 

“The MD5 message-digest cryptography algorithm is a widely used cryptographic hash function producing a 128-bit (16-byte) hash value, typically expressed in text format as a 32 digit hexadecimal number. Papers about it have been published on Eurocrypt, Asiacrypt and Crypto. Meanwhile, researchers focusing on it spread in Computer Science, Computer Engineering, IEEE and Mathematics. MD5 has been utilized in a wide variety of cryptographic applications, and is also commonly used to verify data integrity. MD5 was designed by Ronald Rivest in 1991 to replace an earlier hash function, MD4. The source code in RFC 1321 contains a “by attribution” RSA license.” (Wikipedia)

 

 

 

 

References:
https://itswift.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/
http://marc.info/?l=full-disclosure&m=142821698311838&w=4
http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1820
http://seclists.org/fulldisclosure/2015/Apr/13
https://packetstormsecurity.com/files/131290/6kbbs-8.0-Cross-Site-Request-Forgery.html
http://lists.openwall.net/full-disclosure/2015/04/05/6
https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01903.html
http://cxsecurity.com/search/author/DESC/AND/FIND/0/10/Wang+Jing/
http://diebiyi.com/articles/security/6kbbs-v8-0-weak-encryption/
http://whitehatpost.blog.163.com/blog/static/24223205420155115152896/
http://webtechhut.blogspot.com/2015/06/6kbbs-weak-encryption.html
https://webtechwire.wordpress.com/2015/06/11/6kbbs-v8-0-weak-encryption/

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

Web-Security-Choosing-The-Security

 

CVE-2015-2066 – DLGuard SQL Injection Web Security Vulnerabilities

Exploit Title: CVE-2015-2066 DLGuard /index.php c parameter SQL Injection Web Security Vulnerabilities

Product: DLGuard

Vendor: DLGuard

Vulnerable Versions: v4.5

Tested Version: v4.5

Advisory Publication: February 18, 2015

Latest Update: May 01, 2015

Vulnerability Type: Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) [CWE-89]

CVE Reference: CVE-2015-2066

CVSS Severity (version 2.0):

CVSS v2 Base Score: 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P) (legend)

Impact Subscore: 6.4

Exploitability Subscore: 10.0

CVSS Version 2 Metrics:

Access Vector: Network exploitable

Access Complexity: Low

Authentication: Not required to exploit

Impact Type: Allows unauthorized disclosure of information; Allows unauthorized modification; Allows disruption of service

Writer and Reporter: Jing Wang [School of Physical and Mathematical Sciences (SPMS), Nanyang Technological University (NTU), Singapore] (@justqdjing)





Caution Details:

(1) Vendor & Product Description:

Vendor:

DLGuard

Product & Version:

DLGuard

v4.5

Vendor URL & Download:

DLGuard can be downloaded from here,

http://www.dlguard.com/dlginfo/index.php

Product Introduction Overview:

“DLGuard is a powerful, yet easy to use script that you simply upload to your website and then rest assured that your internet business is not only safe, but also much easier to manage, automating the tasks you just don’t have the time for.”

“DLGuard supports the three types, or methods, of sale on the internet:

<1>Single item sales (including bonus products!)

<2>Multiple item sales

<3>Membership websites”

“DLGuard is fully integrated with: PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, Click2Sell, Mal’s E-Commerce, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro, and even tracks your free product downloads. The DLGuard built-in Shopping Cart offers Paypal, Authorize.net, and 2Checkout payment options. The Membership areas allow Paypal, Clickbank, 2Checkout, and LinkPoint recurring billing as well as linking to any PayPal, ClickBank, 2Checkout, Authorize.Net, WorldPay, AlertPay, Ebay, PayDotCom, E-Gold, 1ShoppingCart, E-Bullion, LinkPoint, PagSeguro, CCBill, CommerseGate, DigiResults, FastSpring, JVZoo, MultiSafePay, Paypal Digital Goods, Plimus, RevenueWire/SafeCart, SWReg, WSO Pro single sale and free products so that people who buy your products can access your members area. DLGuard is the perfect solution to secure your single sale item, such as a niche marketing website, software sales, ebook sales, and more! DLGuard not only protects your download page, but it makes setting up new products, or making changes to existing products so much quicker and easier than before.”


(2) Vulnerability Details:

DLGuard web application has a computer security bug problem. It can be exploited by SQL Injection attacks. This may allow an attacker to inject or manipulate SQL queries in the back-end database, allowing for the manipulation or disclosure of arbitrary data.

Several similar products vulnerabilities have been found by some other bug hunter researchers before. DLguard has patched some of them. The MITRE Corporation is a not-for-profit company that operates multiple federally funded research and development centers (FFRDCs), which provide innovative, practical solutions for some of our nation’s most critical challenges in defense and intelligence, aviation, civil systems, homeland security, the judiciary, healthcare, and cybersecurity. It has phase, votes, comments and proposed details related to important vulnerabilities.

(2.1) The bug programming flaw vulnerability occurs at “&c” parameter in “index.php?” page.

 
 

References:

http://seclists.org/fulldisclosure/2015/Feb/69

https://www.mail-archive.com/fulldisclosure%40seclists.org/msg01703.html

https://progressive-comp.com/?a=139222176300014&r=1&w=1%E2%80%8B

http://permalink.gmane.org/gmane.comp.security.fulldisclosure/1607

http://lists.openwall.net/full-disclosure/2015/02/18/6

http://marc.info/?a=139222176300014&r=1&w=4

http://www.tetraph.com/blog/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://www.inzeed.com/kaleidoscope/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://diebiyi.com/articles/%E5%AE%89%E5%85%A8/sql-injection-vulnerability/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

https://plus.google.com/u/0/107140622279666498863/posts/44pDNaZao8v

https://biyiniao.wordpress.com/2015/05/11/cve-2015-2066-dlguard-sql-injection-web-security-vulnerabilities/

http://shellmantis.tumblr.com/post/118658089031/inzeed-cve-2015-2066-dlguard-sql-injection#notes

http://xingzhehong.lofter.com/post/1cfd0db2_6ea8323

http://russiapost.blogspot.ru/2015/05/cve-2015-2066-dlguard-sql-injection-web.html

https://www.facebook.com/computersecurities/posts/375386899314769

http://blog.163.com/greensun_2006/blog/static/11122112201541193421290/

https://twitter.com/tetraphibious/status/597577800023838720

http://www.weibo.com/3973471553/Chj5OFIPk?from=page_1005053973471553_profile&wvr=6&mod=weibotime&type=comment#_rnd1431308778074

 

Yahoo and Yahoo Japan May be Vulnerable to Spams

vulnerability_scan_436x270

Yahoo and Yahoo Japan May be Vulnerable to Spams

Student security researcher Jing Wang from School of Physical and Mathematical Science at Nanyang Technological University, Singapore, has found new security vulnerabilities related to Yahoo.

After reporting several Open Redirect vulnerabilities to Yahoo. Yahoo’s responses were “It is working as designed”. It seems that Yahoo do not take the vulnerabilities seriously at all.

Based on Wang’s report on Full Disclosure “Multiple Open Redirect vulnerabilities were reported Yahoo. All Yahoo’s responses were “this intended behavior”. However, these vulnerabilities were patched later.”

The vulnerability of Yahoo occurs at “ard.yahoo.com” page. While the vulnerability of Yahoo Japan happens at sensitive page “http://order.store.yahoo.co.jp&#8221;.

Proof of concept on YouTube were also released to illustrate exploits. 

(1)Yahoo Open Redirect

(2)Yahoo Japan Open Redirect

In fact, Yahoo’s users were attacked based on redirection this year. Base on CNET on January 4, 2014, “Yahoo.com visitors over the last few days may have been served with malware via the Yahoo ad network, according to Fox IT, a security firm in the Netherlands. Users visiting pages with the malicious ads were redirected to sites armed with code that exploits vulnerabilities in Java and installs a variety of different malware. ” 

Wang wrote that the attack could work without a user being logged in. And his tests were using Firefox (33.0) in Ubuntu (14.04) and IE (10.0.9200.16521) in Windows 8.

Redirect can ensure a good user experience. However, if it is not properly provided. Attackers can use this to trick users. This is common in Phishing attacks and Spams.

On 21 December, 2014. Yahoo.com’s Alexa ranking is 4. While Yahoo.co.jp’s Alexa ranking is 17. Both of them are very popular around the world. From Wikipedia, “Yahoo during July 2013 surpassed Google on the number of United States visitors to its Web sites for the first time since May 2011, set at 196 million United States visitors, having increased by 21 percent in a year.” 

Open redirect is listed in OWASP top 10. The general consensus of it is “avoiding such flaws is extremely important, as they are a favorite target of phishers trying to gain the user’s trust.”