RE: Vulnerability found in CPAINT Ajax Toolkit

["Thor Larholm" <thor () pivx com>]

I had a couple minutes to spare and highlighted some additional
vulnerabilities in CPAINT to the developers, which have now been fixed
promptly.

CPAINT uses xmlhttp to call a serverside script with either GET or POST
requests. The basic request structure is as follow

cpaint_function=serversideFunction&cpaint_argument[]=firstArgument&cpain
t_argument[]=secondArgument

These are parsed and checked for malicious function calls and then
concatenated into a string which is evaluated on the server, as such

cpaint_runcode(request.querystring("cpaint_function") & " (" &
join(cpaint_arguments, ",") & ")")

1) 
You can inject malicious code to be executed by the server through
string concatenation of the arguments. Here's an example with the
default calculator example.

calculator.asp?cpaint_function=addNumbers&cpaint_argument[]=1&cpaint_arg
ument[]=2")%20%26%20eval("malicious code

2)
You don't have to know the name of a predefined function in order to
execute malicious code. Example:

http://someserver.com/cpaintfile.asp?cpaint_function=response.write&cpai
nt_argument[]=2")%20%26%20eval("malicious code

3)
The checkBlacklist function did not scrub out calls to the ExecuteGlobal
function and GetRef statement, allowing for further code injection.

4)
All of the above also allow simple XSS.

The above problems have been fixed in the current release, though the
use of eval on the server will continue to represent a target. The
CPAINT developers will soon be releasing version 2 of their library
which will move away from eval and only allow calls to explicitly
defined serverside functions.


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor () pivx com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>   

-----Original Message-----
From: wiley14 () gmail com [mailto:wiley14 () gmail com] 
Sent: Monday, August 15, 2005 6:53 PM
To: bugtraq () securityfocus com
Subject: Vulnerability found in CPAINT Ajax Toolkit

I am the original author of the CPAINT Ajax Toolkit
(http://cpaint.sourceforge.net/).  Last night we found a vulnerability
affecting all versions of CPAINT prior to v1.3-SP (which is the patched
version of the software) that can allow a user with malicious intent to
execute server or ASP/PHP commands that would allow them to easily
access data on the server.

We have removed prior versions of the software from our SourceForge
Project website and highly recommend that all users upgrade to v1.3-SP
which can be downloaded at
http://sourceforge.net/project/showfiles.php?group_id=141041&package_id=
154713&release_id=349396

This problem will also affect any software packages and/or websites that
utilize the CPAINT toolkit.  We also suspect this problem affects other
AJAX toolkits (as they are all very similar in the way they execute
functions on the backend) and urge other AJAX toolkit authors and users
to test for any security problems as well.