waraxe-2005-SA039.txt

2005-01-15T00:00:00
ID PACKETSTORM:35720
Type packetstorm
Reporter Janek Vind aka waraxe
Modified 2005-01-15T00:00:00

Description

                                        
                                            `  
  
{================================================================================}  
{ [waraxe-2005-SA#039]   
}  
{================================================================================}  
{   
}  
{ [ Critical Sql Injection in Sgallery  
module for PhpNuke ] }  
{   
}  
{================================================================================}  
  
  
  
Author: Janek Vind "waraxe"  
Date: 12. January 2005  
Location: Estonia, Tartu  
Web: http://www.waraxe.us/advisory-39.html  
  
  
Affected software description:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Module's Name: SGallery  
Module's Version: 1.01  
Module's Description: Simple JPG image gallery  
License: GNU/GPL  
Author's Name: Sergey Kiselev  
Author's Email: ser@acmetelecom.ru  
  
Homepage: http://www.ser.acmetelecom.ru  
  
  
Vulnerabilities:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Let's look at source code from imageview.php:  
  
  
----------------[ original code ]---------------  
  
require_once("$DOCUMENT_ROOT/config.php");  
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");  
  
$dbi = sql_connect  
($dbhost,$dbuname,$dbpass,$dbname);  
  
if ($idalbum) {  
$result = sql_query("select picture from  
".$prefix."_SGalbums where idalbum=".$idalbum,$dbi);  
} elseif ($idimage) {  
$result = sql_query("select picture from  
".$prefix."_SGimages where idimage=".$idimage,$dbi);  
}  
  
list($echo) = sql_fetch_row($result, $dbi);  
sql_free_result($result);  
  
sql_logout ($dbi);  
  
header ("Content-Type: image/jpeg");  
echo $echo;  
  
----------------[ /original code ]---------------  
  
Now let's analyze the weak points.  
  
  
A - Full Path Disclosure  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
If "$idalbum" and "$idimage" are both unset, then  
because of the open "if/elseif" construction  
there variable "$result" will be unset or can be  
poisoned through GET/POST/COOKIE.  
And next call of the "sql_fetch_row()" will trigger  
generic php error messages, leading to  
full path disclosure. Path disclosure is considered as  
low level security threat, but anyway it's  
useful for further malicious actions.  
  
  
B - Potential arbitrary file inclusion:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
This kind of code construction as  
  
require_once("$DOCUMENT_ROOT/config.php");  
require_once("$DOCUMENT_ROOT/includes/sql_layer.php");  
  
is not very secure. Depending of the webserver  
software vendor,version number and configuration  
settings it can lead to arbitrary file inclusion and  
possible remote file inclusion.  
  
  
C - Critical sql injection bug in "imageview.php":  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Looking at source code, presented above, we can see  
unsecure sql queries directed to the database.  
To be excact, user submitted variables "$idalbum"  
and/or "$idimage" are used in sql "SELECT" clause  
without escaping with single quotes. This is clearly  
sql injection bug. Further exploitation will  
depend on database software and version. In case of  
the mysql version 4.x with UNION functionality  
enabled,  
arbitrary data can be retrieved from database,  
inluding admin(s) authentication credentials.  
Traditionally, there is the proof of concept:  
  
  
----------------[ real life exploit ]---------------  
  
http://localhost/nuke75/modules/Sgallery/imageview.php?idimage=-99/**/UNION/  
**/SELECT/**/pwd/**/FROM/**/nuke_authors/**/WHERE/**/radminsuper=1  
  
----------------[/real life exploit ]---------------  
  
Best browser to test this POC is MSIE - it will show  
plaintext admin password's md5 hash as needed.  
Firefox and other browsers will mostly rendering out  
"broken picture" because of the  
"Content-Type: image/jpeg" header. But anyway, sql  
injection exists, can be exploited and must be  
fixed by vendor as soon as possible.  
  
  
How to fix:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Developer first contacted: 16. November 2004  
No response from developer after multiple sent emails.  
Downloadable version of the Sgalley is still  
unpatched.  
  
How to fix this security hole -  
http://www.waraxe.us/forums.html  
  
  
Additional resources:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Base64 encoder and decoder -  
http://base64-encoder-online.waraxe.us/  
SiteMapper - free php script for phpNuke powered  
websites - http://sitemapper.waraxe.us/  
It's easy to install solution for making phpNuke more  
Google friendly!  
  
  
Greetings:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
Greets to icenix, Raido Kerna, g0df4th3r and  
slimjim100!  
Tervitused - Heintz!  
  
Contact:  
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
  
come2waraxe@yahoo.com  
Janek Vind "waraxe"  
  
Homepage: http://www.waraxe.us/  
  
---------------------------------- [ EOF ]  
------------------------------------  
  
  
__________________________________________________  
Do You Yahoo!?  
Tired of spam? Yahoo! Mail has the best spam protection around   
http://mail.yahoo.com   
`