lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
From: j at pureftpd.org (Jedi/Sector One)
Subject: Multiple vulnerabitilies in phpRank


Product : phpRank
Date    : 06/10/2002
Author  : Frank Denis <j@...networks.com>



   ------------------------[ Product description ]------------------------


phpRank is a popular set of PHP script to easily create and maintain
top-lists of web links.

>From the official web site (http://www.phpRank.com/) :

<<
phpRank Pro is the best way to increase traffic to your web site. What
phpRank does is when someone joins your top list site and they bring you
people from there site it will increase there site on your list out of
whatever amount of people you would like to list, (top 10, 25, 32, 46 or
whatever number you want!).
>>

Freeware versions (that doesn't seem to be distributed from the main site
any more) have also been released and they are still widely used.


     ------------------------[ Vulnerabilities ]------------------------
     

phpRank has multiple vulnerabilities.


 * Cross-scripting in many places, including the main submit form :
 
http://example.com/phprank/add.php?page=add&spass=1&name=2&siteurl=3&email=%3Cscript%3Ealert(42)%3C/script%3E

  Injection of javascript in the main list is simple, for instance through
the banner URL :
  
banurl=http://fake.url/%3E%3Cscript%3Ealert(%22Oh%20oh%22)%3C/script%3E

  Anyone can get ranked #1, use a phpRank site to force visitors to
transparently vote for another top-list, etc.


 * Plaintext password storage.
 
  Administrator's password is stored plaintext in the source code, and in an
HTTP cookie called "ap". no login has even to be supplied.

  Thanks to the previous cross-scripting vulnerabilities, the admin password
can easily be retrieved.

  phpRank also stores all users passwords plaintext in a MySQL database.

  passwords are also sent plaintext through email to newly registered users
and to the local administrator.


 * Missing error handling.
 
  No return value of MySQL functions is ever checked. Authentication code :

<<<
$mysql_link = mysql_connect($mysql_host, $mysql_user, $mysql_pass);
sql = "SELECT spass FROM $mysql_table WHERE id = '$id'";
$result = mysql_db_query($mysql_base, $sql, $mysql_link);
while ($p = mysql_fetch_array($result)) {
   $spass = $p[spass];
}
[$upass is the password sent through an HTML form]
if ($spass == $upass) {
   [reconnect to the mysql database]
   [user is authenticated]
}
>>>

  If the MySQL server is temporarely unavailable, $spass is empty, and
anyone can log in as any user with an empty password.


 * Trivial generation of unique IDs.
 
  Every user is affected an unique ID, used as a login.
  
  That ID is a simple call to the time() function. It dramatically helps quiet
cheating (for instance by inserting a self-voting javascript in a newly
inserted banner), and brute-force attacks.


 * Missing authentication check.
 
 The update.php script doesn't check whether the user has supplied a valid
password before updating the database when the "page" HTTP variable is set.

  Anyone can change any entry in the database without authentication,
including passwords.
  
http://example.com/phprank/update.php?page=update&name=zok&description=zok&siteurl=zok&banurl=zok&bh=42&bw=42&email=zok&spass=zok&id=1033913918


    ------------------------[ Affected versions ]------------------------
     

  All these vulnerabilities have been verified on phpRank 1.8 .
  
  Cross-scripting vulnerabilities have been verified in the professional
version of phpRank. Other vulnerabilities haven't been verified.


      ------------------------[ Vendor status ]------------------------
     

  phpRank author has been notified on September 3rd 2002. Mail bounced. A new
mail was sent on 17 Sep 2002. That one was successfully delivered. No answer
so far, no new release, no patch to fix these issues.

  As the freeware versions aren't available any more on the main site, they
are likely to never get fixed.


-- 
 __  /*-      Frank DENIS (Jedi/Sector One) <j@...Networks.Com>     -*\  __
 \ '/    <a href="http://www.PureFTPd.Org/"> Secure FTP Server </a>    \' /
  \/  <a href="http://www.Jedi.Claranet.Fr/"> Misc. free software </a>  \/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20021006/f2886900/attachment.bin

Powered by blists - more mailing lists