Re: [Full-disclosure] Happy Holidays / Xmas Advisory
joernchen, your dedication to making it a happy holidays by helping this project become secure is much appreciated. Henri Salo cleverly created a github issue which quickly led to some work being done on the issues reported. https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) Please continue bringing happiness to the holidays by grabbing the latest source and make tickets in github for the next round of security flaws you find (pull requests for any the fixes you write would be even better!) Gage, Brandon and PsychoBilly we haven't updated the demo site yet (trying to get keys to it's hosting location) but could you bring up an instance with the latest code and take the time to dick around a bit more seeking out more duh code? Good work guys. Thanks. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
On Thu, Dec 26, 2013 at 08:51:26AM -0800, Gage Bystrom wrote: And it just so kindly tells you were everything is located, just in case you wanted to know Ex: http://demo.fatfreecrm.com/passwords/ I half expected to find password hashes but oh well that's life. It is a great hack me application when you can find random vulns simply by dicking around on your phone. Please report issues to Github (if you care). As you can see the project reacts to security issues. Three days in christmas time is not bad: https://github.com/fatfreecrm/fat_free_crm/issues/300 https://github.com/fatfreecrm/fat_free_crm/wiki/Fixing-security-vulnerabilities-(27th-Dec-2013) --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
[[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I really like the full user db listing feature view-source:http://demo.fatfreecrm.com/login ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
That is the obvious way to reduce DB calls when authenticating. Duh. On 12/26/2013 03:55 AM, PsychoBilly wrote: [[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I really like the full user db listing feature view-source:http://demo.fatfreecrm.com/login ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
And it just so kindly tells you were everything is located, just in case you wanted to know Ex: http://demo.fatfreecrm.com/passwords/ I half expected to find password hashes but oh well that's life. It is a great hack me application when you can find random vulns simply by dicking around on your phone. On Dec 26, 2013 3:56 AM, PsychoBilly zpamh...@gmail.com wrote: [[ Henri Salo ]] @ [[ 24/12/2013 18:33 ]]-- On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ I really like the full user db listing feature view-source:http://demo.fatfreecrm.com/login ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Happy Holidays / Xmas Advisory
To whom it may concern:
A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/):
Timeline:
Aug 27th 2013 Initial email containing the findings listed below
including a note that there more vulnerabilities
which just need to be verified. (Send to
m...@fatfreecrm.com and secur...@fatfreecrm.com)
Sep 16th 2013 No response so far (not even a bounce of the initial
mail), re-send email of Aug. 27th.
Dec 20th 2013 Still no response.
Dec 24th 2013 Public Disclosure.
Hint: Actually the codebase is full of Ruby on Rails worst practices.
You might want to use it as a sample Hack Me application.
---
1. Known Session Secret
In config/initialiers/secret_token.rb a static secret token is defined,
with the knowledge of this token an attacker is able to execute
arbitrary Ruby code server side.
2. Lack of CSRF Protection
In app/controllers/application_controller.rb the protect_from_forgery
statement is missing, therefore Fat Free CRM is vulnerable to CSRF
attacks.
3. Default to_json for models
The users controller renders JSON requests with a full JSON object:
For instance when being logged in to the demo app and requesting
http://demo.fatfreecrm.com/users/1.json, the response would be
{
user: {
admin: true,
aim: ,
alt_email: ,
company: example,
created_at: 2012-02-12T02:00:00+02:00,
current_login_at: 2013-08-26T22:12:05+03:00,
current_login_ip: 61.143.60.146,
deleted_at: null,
email: aa...@example.com,
first_name: Aaron,
google: ,
id: 1,
last_login_at: 2013-08-24T22:20:06+03:00,
last_login_ip: 122.173.185.99,
last_name: Assembler,
last_request_at: 2013-08-26T22:13:35+03:00,
login_count: 481,
mobile: (800)555-1211,
password_hash:
56d91c9f1a9c549304768982fd4e2d8bc2700b403b4524c0f14136dbbe2ce4cd923156ad69f9acce8305dba4e63faa884e61fb7a256cf8f5fc7c2ce176e68e8f,
password_salt:
ce6e0200c96f4dd326b91f3967115a31421a0e7dcddc9ffb63a77f598a9fcb5326fe532dbd9836a2446e46840d398fa32c81f8f4da1a0fcfe931989e9639a013,
perishable_token: NE0n6wUCumVNdQ24ahRu,
persistence_token:
d7cdeffd3625f7cb265b21126b85da7c930d47c4a708365c20eb857560055a6b57c9775becb8a957dfdb46df8aee17eb120a011b380e9cc0882f9dfaa2b7ba26,
phone: (800)555-1210,
single_access_token: TarXlrOPfaokNOzls2U8,
skype: ranzitreddy,
suspended_at: null,
title: VP of Sales,
updated_at: 2013-08-26T22:13:35+03:00,
username: aaron,
yahoo:
}
}
A custom to_json method which sanitizes the output should be created.
4. Multiple SQL Injections
In app/controllers/home_controller.rb:
def timeline
unless params[:type].empty?
model = params[:type].camelize.constantize
item = model.find(params[:id])
item.update_attribute(:state, params[:state])
else
comments, emails = params[:id].split(+)
Comment.update_all(state = '#{params[:state]}', id IN
(#{comments})) unless comments.blank?
Email.update_all(state = '#{params[:state]}', id IN
(#{emails})) unless emails.blank?
end
render :nothing = true
end
Here params[:state], comments and emails are attacker controlled values
which go directly into SQL statements. Therefore this piece of code
exposes a SQL Injection vulnerability.
---
Static URL of this text:
http://www.phenoelit.org/stuff/ffcrm.txt
Happy Holidays,
joernchen
--
joernchen ~ Phenoelit
joernc...@phenoelit.de ~ C776 3F67 7B95 03BF 5344
http://www.phenoelit.de ~ A46A 7199 8B7B 756A F5AC
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Happy Holidays / Xmas Advisory
On Tue, Dec 24, 2013 at 11:26:15AM +0100, joernchen wrote: A rather informal advisory on Fat Free CRM (http://fatfreecrm.com/): I created https://github.com/fatfreecrm/fat_free_crm/issues/300 for tracking. --- Henri Salo ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
