Serious holes affecting JFFNMS

[Tim Brown <timb@xxxxxxxxxxxxxxxxxxxx>]

As a result of a short security audit of JFFNMS, a number of security holes 
were found, even from the perspective of a non authenticated user.  The holes 
included authentication bypass via SQL injection. Javascript injection and a 
serious case of information disclosure.  After liasing with the developers, 
the holes have been resolved.  Attached are the advisory and patch relating 
to these flaws.

Tim
-- 
Tim Brown
<mailto:timb@xxxxxxxxxxxxxxxxxxxx>
<http://www.nth-dimension.org.uk/>

diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' 
jffnms-0.8.3/htdocs/admin/adm/test.php 
jffnms-0.8.4-pre2/htdocs/admin/adm/test.php
--- jffnms-0.8.3/htdocs/admin/adm/test.php      2006-09-16 20:31:13.000000000 
-0300
+++ jffnms-0.8.4-pre2/htdocs/admin/adm/test.php 1969-12-31 21:00:00.000000000 
-0300
@@ -1 +0,0 @@
-<? phpinfo(); ?>
\ No newline at end of file
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' 
jffnms-0.8.3/htdocs/auth.php jffnms-0.8.4-pre2/htdocs/auth.php
--- jffnms-0.8.3/htdocs/auth.php        2006-09-16 20:31:13.000000000 -0300
+++ jffnms-0.8.4-pre2/htdocs/auth.php   2002-08-13 23:14:54.228705056 -0300
@@ -46,11 +46,6 @@
                    session_start();
                }
 
-               if (($jffnms_version=="0.0.0") && 
($_SERVER["REMOTE_ADDR"]=="128.30.52.13")) { //W3C Validator
-                   $_REQUEST["user"]="admin";
-                   $_REQUEST["pass"]="admin";
-               }
-               
                if (!isset($_SESSION["authentification"]))
                    $authentification = $jffnms->authenticate 
($_REQUEST["user"],$_REQUEST["pass"],true,"from ".$_SERVER["REMOTE_ADDR"]);
 
diff -Nru -x'*.png' -x'*.ini' -x'*.*sql' -x'*.patch' 
jffnms-0.8.3/lib/api.classes.inc.php jffnms-0.8.4-pre2/lib/api.classes.inc.php
--- jffnms-0.8.3/lib/api.classes.inc.php        2006-09-16 20:31:14.000000000 
-0300
+++ jffnms-0.8.4-pre2/lib/api.classes.inc.php   2002-08-13 23:14:55.656488000 
-0300
@@ -677,7 +677,7 @@
            $auth_type = 1;
            $cant_auth = 0;
            
-           if (isset($user) && isset($pass)) {
+           if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
                $query_auth = "select id as auth_user_id, usern as 
auth_user_name, passwd, fullname as auth_user_fullname from auth where usern = 
'$user'";
                $result_auth = db_query ($query_auth);
                $cant_auth = db_num_rows($result_auth);
@@ -693,18 +693,20 @@
            } 
     
            if (($auth==0) && ($cant_auth == 0)){  //not found in DB
-               if (isset($user) && isset($pass)) {
+
+               if (preg_match("/^[\w\@\.]{0,20}$/", $user) && isset($pass)) {
                    $query_auth = "select id as auth_user_id, username as 
auth_user_name, name as auth_user_fullname from clients where username= '$user' 
and password = '$pass'";
                    $result_auth = db_query ($query_auth);
                    $auth = db_num_rows( $result_auth);
                }
+               
                if ($auth==1) { 
                    $reg = db_fetch_array($result_auth);
                    $auth_type = 2;
                }
            }
            
-           if (($log_event==true) && (!empty($user)))
+           if (($log_event==true) && preg_match("/^[\w\@\.]{0,20}$/", $user))
                insert_event(date("Y-m-d 
H:i:s",time()),get_config_option("jffnms_internal_type"),1,"Login",(($auth==1)?"successful":"failed"),$user,$log_event_info,"",0);
            
            unset ($reg["passwd"]);

Attachment: NDSA20070524.txt.asc
Description: application/pgp-keys

Attachment: signature.asc
Description: This is a digitally signed message part.