lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <200612011000.33083.scy-adv@scytale.de>
Date: Fri, 1 Dec 2006 10:00:32 +0100
From: Tim Weber <scy-adv@...tale.de>
To: full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: deV!L`z Clanportal - SQL Injection [061124a]


   /                             -[061124a]-  \
   |   deV!L`z Clanportal  -  SQL Injection   |
   \                                          /


   S Y N O P S I S  /
  ================='

 -(  access: remote   severity: high  )-

An SQL injection has been found in deV!L`z Clanportal, which allows any logged
in user to grant herself admin privileges in the system.


   B A C K G R O U N D  /
  ====================='

deV!L`z Clanportal (short "DZCP") is a suite of PHP scripts that allow anybody
to create a feature-rich website for her online gaming clan.


   A F F E C T E D   V E R S I O N S  /
  ==================================='

        verified on:  1.3.6
possibly vulnerable:  <= 1.3.6
           fixed in:  1.3.6.1


   I M P A C T  /
  ============='

The attacker gains admin privileges in DZCP and is thus able to create and
download a MySQL dump, upload files, post news, delete users etc.


   P R E R E Q U I S I T I E S  /
  ============================='

 o  the attacker needs to have an user account in the suite and be logged in
 o  php.ini directive "magic_quotes_gpc" has to be disabled


   D E S C R I P T I O N  /
  ======================='

sites/index.php is not escaping the $_GET['show'] parameter, leading to an SQL
injection.  This can be used to pass any string to the $where parameter in
DZCP's page() function.  page(), in turn, is not checking that parameter,
allowing a second SQL injection in an UPDATE statement on the "users" table to
change arbitrary attributes in the calling user's tuple, including the "level"
attribute, which, set to 4, grants the user administrator privileges.


   W O R K A R O U N D  /
  ====================='

Some possibilities:

 o  Add a mysql_real_escape_string() around the $_GET parameter in the SQL query
    in sites/index.php.
 o  Remove sites/index.php or make it inaccessible.
 o  Quit using DZCP.  I mean it!  There are tons of other vulnerabilites just
    waiting to be exploited; some of them more severe than this one.  IMHO, DZCP
    is just a chaotic bunch of vulnerabilities that, by some coincidence, happen
    to look like a clan portal.


   P R O O F   O F   C O N C E P T  /
  ================================='

Check if magic_quotes_gpc is enabled:
 http://<dzcp>/sites/index.php?show='

If a MySQL error appears or the script dies, it is disabled. Then:
 http://<dzcp>/sites/index.php?show=-1'+%55NION+%53ELECT+1,+'Admin+Panel\',+level%3d4,+waffe%3d\'SQL+Injection',+2,+3,+'


   T I M E L I N E  (CET)  /
  ========================'

2006-11-23 23:05  started searching
        24  0:35  exploited
           14:20  advisory finished
           17:31  informed vendor that any user can get admin privileges
        25 23:00  full disclosure to vendor
        27 14:36  hotfix available on vendor website
     12-01 10:00  full disclosure to the general public


   A B O U T   T H E   A U T H O R  /
  ================================='

Tim Weber, computer science student at the University of Mannheim, Germany,
currently looking for an internship at some IT security or pentesting company,
can be reached via e-mail: scy-adv-061124a at the host scytale.de.


   T H A N K S  /
  ============='

 o  Kallista
 o  yorn for showing me DZCP and the basics of SQL injections
 o  the DZCP authors for the fun in secure.php

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ