lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48317b000912110721i1f0031b7lb829df8fa53cb97b@mail.gmail.com>
Date: Fri, 11 Dec 2009 16:21:57 +0100
From: Salvatore Fresta aka Drosophila <drosophilaxxx@...il.com>
To: Bugtraq <bugtraq@...urityfocus.com>, david_degner@...oo.com
Subject: phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities

phpCollegeExchange 0.1.5c Multiple SQL Injection Vulnerabilities

 Name              phpCollegeExchange
 Vendor            http://phpcollegeex.sourceforge.net
 Versions Affected 0.1.5c

 Author            Salvatore Fresta aka Drosophila
 Website           http://www.salvatorefresta.net
 Contact           salvatorefresta [at] gmail [dot] com
 Date              2009-12-11

X. INDEX

 I.    ABOUT THE APPLICATION
 II.   DESCRIPTION
 III.  ANALYSIS
 IV.   SAMPLE CODE
 V.    FIX
 VI.   DISCLOSURE TIMELINE


I. ABOUT THE APPLICATION

PhpCollegeExchange  is  a  full  fledged college community
website.


II. DESCRIPTION

This  application  is  affected   by  many  SQL  Injection
security flaws. In order to exploit they, the Magic Quotes
GPG (php.ini) must  be  Off.
In  this  security  advisory  I  reported only some of the
vulnerable files.
I tested 0.1.5c version only, however  other versions  may
be also vulnerable.


III. ANALYSIS

Summary:

 A) Authentication Bypass
 B) Multiple SQL Injection

A) Authentication Bypass

Using a SQL Injection in the login process,  a  guest  can
bypass the authentication.
In order to exploit it,  The Magic Quotes GPG flag must be
Off.

Vulnerable code (functions.php):

........

 function checkpass($handle,$pass){
  require_once($home."mysqlinfo.php");
  include("i_aeskey.php");
  $query="SELECT AES_DECRYPT(password,'$AES_key') FROM users WHERE
(handle='$handle')";
  $result = mysql_query($query);

  if(mysql_num_rows($result))
  {
	if($r = mysql_fetch_array($result))
	 {$dbpass=$r[0];}
	 if($pass==$dbpass)
		{return 1;}

........


B) Multiple SQL Injection

Searchend.php is affected by multiple SQL injection issues
that  allow  a guest  to view reserved  information stored
into  the database.
The following  is an example  of vulnerable  code found in
searchend.php.

Vulnerable code (searchend.php):

........

$query = "SELECT * FROM Books";

if(isset($_POST['searchby'])){$searchby=$_POST['searchby'];}else{$searchby=$_GET['searchby'];}

switch($searchby){
	
........

case "Title"  :

$title = $_POST['searchquery'];
if(strlen($title)>2){
//check length at least 3 chars

$query .= " WHERE (title LIKE '%$title%') ORDER BY price";
$result = mysql_query($query);

........

Another funny SQL injection may be seen in forgotpass.php.
It can be manipulate to send to an arbitrary email address
the  password of a registered user, knowing  the  AES key.

Vulnerable code:

........

if( isset($_POST["handle"]) ){

........

$query="SELECT AES_DECRYPT(password,'$AES_key'), email FROM users
WHERE (handle='$handle')";
$result = mysql_query($query);

if(mysql_num_rows($result)){

  $r = mysql_fetch_array($result);

  $email = $r[1];
  $pass = $r[0];

  ........

  mail("$email", "Your Book Exchange Password", $emailcontent);

........


IV. SAMPLE CODE

A) Authentication Bypass

Username: -1') UNION ALL SELECT 'foo'#
Password: foo

B) Multiple SQL Injection

A proof of concept can be found here:
http://poc.salvatorefresta.net/PoC-phpCollegeExchange.txt


V. FIX

No fix.


VIII. DISCLOSURE TIMELINE

2009-12-11 Bug discovered
2009-12-11 Initial vendor contact
2009-12-11 Advisory Release

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ