Hardened-PHP Project Security Advisory 2005-21.80

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Hardened PHP Project  
www.hardened-php.net  
  
-= Security Advisory =-  
  
  
Advisory: Multiple vulnerabilities in PHPKIT  
Release Date: 2005/11/07  
Last Modified: 2005/11/04  
Author: Christopher Kunz <[email protected]>  
Application: PHPKIT 1.6.1 R2 and prior  
Severity: Cross-Site Scripting, SQL injection and information  
disclosure, password hash disclosure, local file  
disclosure, arbitrary code execution  
Risk: High / Critical (depending on server configuration)  
Vendor Status: No fix available  
References: http://www.hardened-php.net/advisory_212005.80.html  
  
  
Overview:  
  
PHPKIT [1] is a combined content management, homepage building and community  
software written in PHP. Although it is available as open source, it has  
to be licensed for any other than private use. PHPKIT has the usual feat-  
ures for that kind of product (content editing, forums, user management,  
etc.). Typically for content management and portal systems, there are  
multiple vulnerabilities in several places in the front- and backend.  
The install base for PHPKIT can only be estimated - Google shows about  
25,000 results for the query "powered by phpkit" [2].  
Since we did not perform a full audit, there is no guarantee that the de-  
scribed vulnerabilities are the only ones in the product.  
  
  
Details:  
  
1) XSS  
Although the PHPKIT team seems to have made an effort to mitigate attacks  
with cross-site scripting, this was only partially successful. We found  
a number of critical XSS holes that can be exploited by any third party  
to steal admin cookies, change HTML code, launch CSRF attacks and so on.  
  
1.1) login/profile.php and login/userinfo.php  
Two fields in the profile settings - those for AIM and Yahoo! screen  
names - are inserted into the database without any input validation.  
Thus, an XSS attack can be performed that is launched on any user who  
looks at the offending profile.  
The same attack can be launched on an administrator viewing a profile  
via the administrator back-end.  
  
1.2) admin/admin.php (with register_globals On)  
Since the variable $site_body is not properly initialized, an attacker  
can launch an XSS attack against the administrator login screen. This  
attack can utilize DOM to steal the administrator's credentials in  
cleartext as long as they have some kind of "password safe" function  
in their browser. Since script code can be executed on load, all that  
an attacker has to do is get the administrator to click on a manipula-  
ted link.  
  
1.3) Referrer statistics  
By launching a HTTP request with the Referer set to some script code,  
e.g. <script>alert('foo')</script>, an attacker prompts this code to  
be included in the administrative backend, and executed as soon as  
an administrator views the referrer statistics. This comes in handy  
since it is a quasi-anonymous way of obtaining the administrator's  
session cookies.  
  
1.4) Forum  
Although input filtering takes place in the subject and content of  
a forum postings, no such filtering is performed when constructing  
the HTML <title> tag and the logo's <img alt> attribute - both con-  
tain the thread subject in unfiltered HTML, and script code is execu-  
ted twice per page.  
  
1.5) imcenter.php  
PHPKIT's own instant messaging system does not perform input validation  
on the subject line, so any user can IM the admin and contain script  
code in the subject.  
  
1.6) Guestbook  
The "Homepage" input field in the guest book is not properly sanitized  
and any guest (no logged-in users, because their home page is not dis-  
played by default) can enter script code. As usual, this is displayed  
as soon as the guestbook is viewed.  
  
2) SQL Injection  
Same as above: Although many places inside the PHPKIT software are not  
prone to SQL injection, some are. This leads to information disclosure  
and possibly deletion of arbitrary data in the database.  
  
2.1) SQL injection in profile pages (with magic_quotes_gpc Off)  
Using a simple injection, any user of the PHPKIT-powered web site can  
disclose the administrator's password hash. This is done via the $id  
parameter in login/userinfo.php which is not properly sanitized. With  
a crafted UNION statement, the attacker can obtain arbitrary data, in-  
cluding but not limited to any user's password hash. A simple cast into  
an int would have prevented this problem.  
Example: include.php?path=login/userinfo.php&id='%20UNION%20SELECT%201,  
1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,user_pw,1,1,1,1,1,1,1,1,1,1,1,1,1,1,  
1,1,1,1,1,1%20FROM%20phpkit_user%20where%20%20user_id=1%20and%20'1'='1  
  
2.2) PHPKITSID  
Since sessions are contained within the database, an attacker can craft  
a session ID to contain SQL commands (which have to be exactly 32 Bytes  
in length, though. The vulnerable code is directly in include.php:  
if(isset($_REQUEST['PHPKITSID']))  
$session=$DB->fetch_array($DB->query("SELECT session_id,  
session_userid FROM ".$db_tab['session']." WHERE  
session_id='".$_REQUEST['PHPKITSID']."' LIMIT 1"));  
This SELECT yields one result which is then fed to another SQL query:  
$DB->query("DELETE FROM ".$db_tab['session']." WHERE session_id='"  
.$session['session_id']."' LIMIT 1");  
Using a carefully-crafted SQL statement, arbitrary data rows can be  
deleted from the database.  
  
3) Arbitrary local file inclusion and local code execution  
Using the vulnerable path parameter that is used in nearly every subsys-  
tem of PHPKIT, an attacker can include arbitrary files on the local file  
system. This includes uploaded avatars (preferrably in PNG format) that  
can also include PHP code. Uploading avatars is not enabled in the  
default configuration, so this attack vector is unlikely to be open in  
every PHPKIT installation in the wild.  
Example: echo "<?php phpinfo() ?>" >> avatar.png  
/phpkit/?path=../images/avatar/avauser_1.png%00  
  
4) Remote code execution (with register_globals On)  
Yeah, we saved the best for last. Since PHPKIT relies heavily on eval()  
for its homegrown template engine, an attacker only needs a way to inject  
a variable in curly braces including PHP code. With register_globals set  
to On (which is still the case in a lot of installations, for compati-  
bility purposes), this can be accomplished via the help function that  
makes use of not properly initialized variables. Thus, any PHP code can  
be executed.  
There is a number of other places, including the admin backend, that are  
vulnerable to this kind of code injection. These vulnerabilities are  
either exploitable via complex syntax (a.k.a. curly braces) or, if magic_  
quotes_gpc is turned Off, with any code that includes "".  
The whole template system urgently needs to be rewritten from scratch,  
without relying on unsafe variables and with careful consideration for  
register_globals.  
  
  
Proof of Concept:  
  
Apart from the examples mentioned above, the Hardened PHP Project is not  
going to release any PoC for these vulnerabilities to the public.  
  
  
Disclosure Timeline:  
  
30. September 2005 - Vendor informed.  
05. October 2005 - Vendor contacted via phone. Advisory re-sent (allegedly  
lost in transit).  
16. October 2005 - Vendor informed of intended disclosure timeline.  
07. November 2005 - public disclosure at the 2005 International PHP Confer-  
ence.  
  
  
Credits:  
  
Credit for the vulnerabilities listed in 4) goes to Stefan Esser of the  
Hardened-PHP team.  
Credit for the vulnerability described in 2.2) goes to Stefan Walk.  
Credit for the vulnerability named 1.2) goes to Johann-Peter Hartmann.  
All other vulnerabilities were investigated by the author.  
  
  
Recommendation:  
  
With the aforementioned lack in vendor reaction, we currently recommend  
avoiding usage of PHPKIT altogether.  
If you already use the product, we recommend installing the Hardening-Patch  
for PHP which can be obtained on our website, and deactivating the  
"register_globals" setting in php.ini, virtual host configuration or  
.htaccess.  
  
  
References:  
  
[1] http://www.phpkit.de/  
[2] http://www.google.com/search?q=%22powered+by+PHPKIT%22  
  
  
Plug:  
  
You can discuss this and other vulnerabilities in our forum at  
http://forum.hardened-php.net/ - an up-to-date list of advisories can be  
found at http://www.hardened-php.net/.  
  
  
GPG-Key:  
  
http://www.hardened-php.net/hardened-php-signature-key.asc  
  
pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key  
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1  
  
  
Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.2.5 (GNU/Linux)  
  
iD8DBQFDcF6uRDkUzAqGSqERAnSjAKDvXQZwnYJdEVtJGtxiFabEnWbqHACgld2G  
0BoxQLmlh357rm2Lasz0gXY=  
=r2Db  
-----END PGP SIGNATURE-----  
`