Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

phpMyRecipes 1.x.x XSS / CSRF / SQL Injection

🗓️ 20 Dec 2013 00:00:00Reported by Rafay BalochType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 20 Views

phpMyRecipes 1.x.x SQL Injection, XSS, CSRF Vulnerabilitie

Code
`*#Product: phpMyRecipes version 1.x.x  
*#Vulnerability: Multiple SQL Injection, XSS and CSRF Vulnerabilities*  
*#Impact: High*  
*#Authors: Rafay Baloch And Sikandar Ali*  
*#Company: RHAinfoSEC *  
*#Website: http://rhainfosec.com  
  
Introduction  
============  
  
"PhpMyRecipes is a simple application for storing and retrieving recipes.  
It uses a web-based interface, for ease of use  
  
across any system, and a MySQL database backend for storing the recipes."  
  
Description  
===========  
  
We performed both whitebox/Blackbox test for phpMyRecipies and managed to  
find large number of high risk vulnerabilities.  
  
The application is poorly coded from a security perspective as it doesn't  
offer any kind of filtering mechanism for  
  
separating normal input with malicious input.  
  
Vulnerabilities  
===============  
  
Several High risk vulnerabilities such as SQL Injection, XSS etc were  
discovered. We have provided the vulnerable code for  
  
some of the vulnerabilities. Full details have been sent to the Vendor, so  
that they may apply patches accordingly.  
  
  
Multiple Cross Site Scripting Vulnerabilities  
=============================================  
  
Multiple XSS vulnerabilities were found, the user input was not sanitised  
before it was returned to the user. It is  
  
advised to filter all the special characters before displaying back the  
input to the user.  
  
Details And POC's  
=================  
  
1) http://target.com?r_id=[XSS]  
  
2) http://target.com/ingredients/ingredients.php?from=[XSS]  
  
3) http://target.com/login.php  
  
REQUEST  
=======  
  
POST /login.php HTTP/1.1  
Content-Length: 89  
Content-Type: application/x-www-form-urlencoded  
Referer: http://target.com  
Host: target.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/28.0.1500.63 Safari/537.36  
Accept: */*  
  
password=Uname&username=[XSS]  
  
  
4) http://recipes.delattre.ca/domenusearch.php  
  
REQUEST  
=======  
  
POST /domenusearch.php HTTP/1.1  
Content-Length: 194  
Content-Type: application/x-www-form-urlencoded  
Referer: http://target.com  
Host: Target.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/28.0.1500.63 Safari/537.36  
Accept: */*  
  
r_acategory[]=5[XSS]&r_arecipes[]=0&r_days=17&r_dcategory[]=5&r_drecipes[]=0&r_mcategory[]=5&r_mrecipes[]  
  
=0&r_servings=1&r_step=2  
  
All Post Parameters were found vulnerable to XSS.  
  
5)http://target.com/register.php  
  
  
REQUEST  
=======  
  
POST /register.php HTTP/1.1  
Content-Length: 158  
Content-Type: application/x-www-form-urlencoded  
Referer: http://target.com  
Host: target.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/28.0.1500.63 Safari/537.36  
Accept: */*  
  
[email protected][XSS]&name=XSS&password1=XSS&password2=XSS&username=XSS  
  
  
#Note: All parameters were found vulnerable to Cross Site Scripting.  
  
  
  
Multiple SQL Injection Vulnerabilities  
======================================  
  
Multiple SQL Injection Vulnerabilities were addressed, The user input is  
directly being inserted into the SQL queries  
  
without any proper santisation or filtering.  
  
  
1) http://target.com/dosearch.php  
  
POST DATA  
categories[]=1[Inject_HERE]&ingids[]  
  
=20&ing_modifier=2&name_exact=riuciyda&words_all=1&words_any=1&words_exact=1&words_without=1  
=================================================  
  
  
2) http://target.com/ingredients/ingredients.php?from=[INJECT_HERE]  
  
  
Vulnerable Code  
===============  
  
if (! empty($_POST['from'])) {  
$db_start = $_POST['from'];  
} elseif (! empty($_GET['from'])) {  
$db_start = $_GET['from'];  
} else {  
$db_start = 0;  
}  
  
  
<TABLE BORDER=3 WIDTH=100%>  
<TR>  
<TH WIDTH=85%>Ingredient</TH>  
<TH COLSPAN=2>Actions</TH>  
</TR>  
<?php  
  
if ($result = mysql_query("SELECT id,name from ingredients ORDER BY  
name LIMIT $db_start, " . INGREDIENTS_PER_PAGE)) {  
while ($row = mysql_fetch_array($result)) {  
?>  
  
  
2) http://target.com/recipes/textrecipe.php?r_id=[INJECT_HERE]  
  
Vulnerable Code  
===============  
  
Line 37 - 42  
  
  
# Get the recipe ID to view  
$r_id = $_GET['r_id'];  
  
if (! ($result = mysql_query("SELECT name FROM recipes WHERE id=  
  
$r_id"))) {  
dberror("textrecipe.php", "Cannot select recipe");  
}  
  
  
3) http://target.com/  
  
REQUEST  
=======  
  
POST /domenutext.php HTTP/1.1  
Content-Length: 221  
Content-Type: application/x-www-form-urlencoded  
X-Requested-With: XMLHttpRequest  
Referer: http://target.com  
Host: target.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/28.0.1500.63 Safari/537.36  
Accept: */*  
  
0=1&1=1&2=1&3=1&4=1&5=1&6=1&7=1&8=1&r_acategory[]=17&r_arecipes[]=[INJECT_HERE]&r_days=17&r_dcategory[]=5&r_drecipes[]  
  
=0&r_mcategory[]=5&r_mrecipes[]=0&r_servings=1&r_step=3  
  
  
4) http://target.com/dosearch.php  
  
REQUEST  
=======  
  
POST /dosearch.php HTTP/1.1  
Content-Length: 127  
Content-Type: application/x-www-form-urlencoded  
Referer: http://target.com  
Host: target.com  
Connection: Keep-alive  
Accept-Encoding: gzip,deflate  
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,  
like Gecko) Chrome/28.0.1500.63 Safari/537.36  
Accept: */*  
  
categories[]=[INJECT_HERE]&ingids[]  
  
=20&ing_modifier=2&name_exact=aaaaaaa&words_all=1&words_any=1&words_exact=1&words_without=1  
  
  
Multiple CSRF Vulnerabilities  
=============================  
  
All forms were missing CSRF tokens, including some of the important ones  
which would had allowed an attacker to force the  
  
victim's browser into submitting a request which in return would had been  
used to manipulate important details such as  
  
changing email address, username etc. In our analysis, we found no CSRF  
tokens to identify a legitimate request sent by  
  
the user VS an attacker who forced victim's browser to send requests.  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
20 Dec 2013 00:00Current
0.8Low risk
Vulners AI Score0.8
phpmyrecipessql injectionxsscsrfvulnerabilitiesfilteringsecurityweb-basedmysqlwhiteboxblackboxpatchesfiltering mechanismspecial characterspostrequestapplicationsanitisationfilteringinjection vulnerabilities
20