Milkeyway-0.1.1.txt

2006-03-20T00:00:00
ID PACKETSTORM:44759
Type packetstorm
Reporter Francesco Ongaro
Modified 2006-03-20T00:00:00

Description

                                        
                                            `Milkeyway Captive Portal Multiple Vulnerabilities  
  
Name Multiple Vulnerabilities in Milkeyway Captive Portal  
Systems Affected WebCalendar (any version, verified on 0.1 and 0.1.1)  
Severity Medium Risk  
Vendor sourceforge.net/projects/milkeyway  
Advisory http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt  
Author Francesco "aScii" Ongaro (ascii at katamail . com)  
Date 20060316  
  
I. BACKGROUND  
  
Milkeyway is a software for the management and administration of  
internet access within public structures and frameworks, where  
the service supplying must be submitted to a scrupulous inspection.  
  
II. DESCRIPTION  
  
Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.  
There are also some XSS vulnerabilities.  
  
III. ANALYSIS  
  
Since there are 28 detected different vulnerabilities only an  
abstract will be included in this mail, please refer to the complete  
advisory aviable here:  
  
http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt  
  
1) LOGIN PAGE authenticate() SQL INJECTION  
2) add_userIp() SQL INJECTION  
3) updateTimeStamp() SQL INJECTION  
4) authuser.php USER DELETE SQL INJECTION  
5) delete_user() SQL INJECTION  
6) authuser.php MODIFY USER modify_user() SQL INJECTION  
7) authuser.php MULTIPLE XSS  
8) authuser.php EDIT SQL INJECTION  
9) authuser.php RELEASE USER SQL INJECTION  
10) releaseUser() SQL INJECTION  
11) authuser.php ORDERING SQL INJECTION  
12) authgroup.php ADD GROUP SQL INJECTION  
13) add_team() SQL INJECTION  
14) authgroup.php DELETE GROUP SQL INJECTION  
15) delete_team() SQL INJECTION  
16) authgroup.php MODIFY TEAM SQL INJECTION  
17) modify_team() SQL INJECTION  
18) traffic.php MULTIPLE SQL INJECTION  
19) userstatistics.php ADD USER SQL INJECTION  
20) userstatistics.php DELETE USER SQL INJECTION  
21) userstatistics.php MODIFY USER SQL INJECTION  
22) userstatistics.php EDIT USER SQL INJECTION  
23) userstatistics.php MULTIPLE XSS  
24) userstatistics.php $_GET['username'] SQL INJECTION 1  
25) userstatistics.php $_GET['username'] SQL INJECTION 2  
26) chgpwd.php SQL INJECTION 1  
27) chgpwd.php SQL INJECTION 2  
28) logout.php SQL INJECTION  
  
IV. DETECTION  
  
Milkeyway 0.1 and 0.1.1 are vulnerable.  
  
V. WORKAROUND  
  
Input validation will fix the vulnerability.  
Magic quotes ON will protect you against most of these injections  
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the  
input has no single or double quotes around, making magic quotes  
useless.  
  
11) SQL is injectable by $_GET['filter']  
  
---------------- in authuser.php -----------------  
$orderingFilter = $_GET['filter'];  
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;  
else $orderBy ="order by ".$orderingFilter." ".$direction;  
$result = mysql_query("SELECT * FROM authuser ".$orderBy );  
--------------------------------------------------  
  
VI. VENDOR RESPONSE  
  
Vendor has been contacted.  
  
VII. CVE INFORMATION  
  
No CVE at this time.  
  
VIII. DISCLOSURE TIMELINE  
  
20060301 Bug discovered  
20060316 Vendor contacted  
20060316 Advisory released  
  
IX. CREDIT  
  
ascii is credited with the discovery of this vulnerability.  
  
X. LEGAL NOTICES  
  
Copyright (c) 2005 Francesco "aScii" Ongaro  
  
Permission is granted for the redistribution of this alert  
electronically. It may not be edited in any way without mine express  
written consent. If you wish to reprint the whole or any  
part of this alert in any other medium other than electronically, please  
email me for permission.  
  
Disclaimer: The information in the advisory is believed to be accurate  
at the time of publishing based on currently available information. Use  
of the information constitutes acceptance for use in an AS IS condition.  
There are no warranties with regard to this information. Neither the  
author nor the publisher accepts any liability for any direct, indirect,  
or consequential loss or damage arising from use of, or reliance on,  
this information.  
  
  
  
  
first sql injection ($_GET['date'])  
  
----------------- in traffic.php -----------------  
  
$act = $_GET['act'];  
$idToProcess = $_GET['id'];  
if ($act=='trafficDetails') {  
$date = $_GET['date'];   
[..CUT..]  
$trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime ";  
$result = mysql_query($trafficQuery);  
  
--------------------------------------------------  
  
second sql injection ($_GET['date'])  
  
----------------- in traffic.php -----------------  
  
$trafficByUser = "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''";  
$result = mysql_query($trafficByUser);  
  
--------------------------------------------------  
  
third sql injection ($_GET['id'])  
  
----------------- in traffic.php -----------------  
  
else if ($act=='groupDate'){  
[..CUT..]  
$trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime';  
$result = mysql_query($trafficQuery);  
  
--------------------------------------------------  
  
/milkeyway/admin/traffic.php?id=1&act=groupDate  
^  
  
19) userstatistics.php ADD USER SQL INJECTION  
  
-------------- in userstatistics.php -------------  
  
if (isset($_POST['action'])) {  
$username = $_POST['username'];  
$password = $_POST['password'];  
$team = $_POST['team'];  
$level = $_POST['level'];  
$status = $_POST['status'];  
$action = $_POST['action'];  
$ipAddress = $_POST['ipAddress'];   
$ipAddress = $_POST['macAddress'];   
} elseif (isset($_GET['act'])) {  
$act = $_GET['act'];  
  
[..CUT..]  
  
if ($action == "Add") {  
$situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2  
  
--------------------------------------------------  
  
20) userstatistics.php DELETE USER SQL INJECTION  
  
-------------- in userstatistics.php -------------  
  
if ($action=="Delete") {  
$delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5  
  
--------------------------------------------------  
  
21) userstatistics.php MODIFY USER SQL INJECTION  
  
-------------- in userstatistics.php -------------  
  
if ($action == "Modify") {  
$update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6  
  
--------------------------------------------------  
  
22) userstatistics.php EDIT USER SQL INJECTION  
  
-------------- in userstatistics.php -------------  
  
if ($act == "Edit") {  
$username = $_GET['username'];  
$listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'");  
  
--------------------------------------------------  
  
23) userstatistics.php MULTIPLE XSS  
  
for example the variable $username is taken an other time from GET and then printed  
  
-------------- in userstatistics.php -------------  
  
if ($act == "statistics") {  
$username = $_GET['username'];  
  
[..CUT..]  
  
<? echo $username ?>  
  
--------------------------------------------------  
  
24) userstatistics.php $_GET['username'] SQL INJECTION 1  
  
-------------- in userstatistics.php -------------  
  
if ($act == "statistics") {  
$username = $_GET['username'];  
  
[..CUT..]  
  
$result = mysql_query("SELECT id FROM authuser where uname = '$username'");  
  
--------------------------------------------------  
  
25) userstatistics.php $_GET['username'] SQL INJECTION 2  
  
-------------- in userstatistics.php -------------  
  
  
  
26) chgpwd.php MULTIPLE SQL INJECTION 1  
  
-------------------- chgpwd.php ------------------  
  
if (isset($_POST['submit'])){  
$USERNAME = $_COOKIE['USERNAME'];  
$PASSWORD = $_COOKIE['PASSWORD'];  
$submit = $_POST['submit'];  
$oldpasswd = $_POST['oldpasswd'];  
$newpasswd = $_POST['newpasswd'];  
$confirmpasswd = $_POST['confirmpasswd'];  
[..CUT..]  
$userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'");  
  
--------------------------------------------------  
  
27) chgpwd.php MULTIPLE SQL INJECTION 2  
  
-------------------- chgpwd.php ------------------  
  
// If everything is ok, use auth class to modify the record  
$update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6  
  
--------------------------------------------------  
  
28) logout.php SQL INJECTION  
  
-------------------- chgpwd.php ------------------  
  
$username=$_GET['username'];  
[..CUT..]  
$utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()");  
$utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()");  
  
--------------------------------------------------  
  
29) CONCLUSION  
  
no conclusion. fuck em.  
every function is bogous.  
  
i hope you have magic_quotes on  
  
Francesco 'ascii' Ongaro  
  
  
  
`