-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nth Dimension Security Advisory (NDSA20070524)
Date: 24th May 2007
Author: Tim Brown <mailto:timb@nth-dimension.org.uk>
URL: <http://www.nth-dimension.org.uk/> / <http://www.machine.org.uk/>
Product: JFFNMS 0.8.3 <http://www.jffnms.org/>
Vendor: JFFNMS <http://www.jffnms.org/>
Risk: High

Summary

This advisory comes in 2 related parts:

1) JFFNMS application has high risk issues with its authentication
mechanism.  These can lead to SQL injection allowing authentication
bypass and Javascript injection.  There is also a potential backdoor
although this is unlikely to be exploitable.

2) JFFNMS application has default PHP scripts which can lead to
information disclosure as an unauthenticated user.

Technical Details

1) In cases where the web server hosting the PHP interpreter has been 
configured with magic_quotes_gpc disabled it is possible to inject both
SQL and Javascript into the auth.php PHP script.  This script makes use
of two parameters user and password which are normally populated during
the authentication process.  By making a request for the following URL
for example:

http://192.168.1.1/auth.php?user='%20union%20select%202,'admin','$1$RxS1ROtX$IzA1S3fcCfyVfA9rwKBMi.','Administrator'/*&pass=

It is possible to bypass the authentication mechanism and authenticate
as the admin user.

These parameters are also used in generating an audit trail of
access to the application and in generating the login form, which may allow
modification of existing data held on the web server and Javascript injection
which could allow intruders to execute malicious code on visitors
computers, for example:

http://192.168.1.1/auth.php?user='<html><body><script>alert('xss')</script></body></html>

This Javascript injection point results in the code being executed 
on multiple occasions since the tick also causes an SQL error in
the audit trail code which is returned to the visitor prior to the 
populated login form.

Potential intruders could use this to execute malicious code on visitors
computers.

Finally, the auth.php PHP script also includes the following code:

if (($jffnms_version=="0.0.0") && ($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) {

which could be considered a backdoor althought it does not appear to be
exploitable in a typical installation.

2) The application also included 2 default PHP scripts which can disclose
information to an unauthenticated user depending on the web sever and
application configuration:

http://192.168.1.1/admin/setup.php
http://192.168.1.1/admin/adm/test.php

The setup.php PHP script discloses and indeed allows modification of the
application configuration, whilst the test.php PHP script calls the
phpinfo() function and returns its results.

Both appeared to be accessible in the default installation.

Solutions

Following vendor notification on the 24th May 2007, the vendor promptly
responded with an initial patch which fixed the most serious case of
authentication bypass.  After additional testing by Nth Dimension, further
changes were recommended and the vendor responded with a second patch which
has been attached along with this advisory.  Nth Dimension would recommend
applying this patch as soon as possible.  Alternatively, nighly builds from
0.8.4-pre3 (available at http://www.jffnms.org/nightly/) onwards also include
this patch.  Nth Dimension would like to thank Javier and Craig from JFFNMS
for the way they worked to resolve the issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFGavxpVAlO5exu9x8RAvlVAJ4o4dTN0PRCqqCqP8VDiUKGcVJKIACgqg7X
EMEj0ge2pNyPZ1SCUpEHWP4=
=jMbG
-----END PGP SIGNATURE-----