chipmailer109.txt

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities  
Release Date: 2006/06/13  
Last Modified: 2006/06/13  
Author: Tamriel [tamriel at gmx dot net]  
Application: Chipmailer <= 1.09  
Risk: Medium  
Vendor Status: no patch available  
Vendor Site: chipmailer.de  
  
  
Overview:  
  
Quote from http://chipmailer.de  
  
"Der Chipmailer ist ein Paidmail Script der neuesten Generation,   
welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr   
viele Funktionen für Benutzer, Sponsoren sowie für Administratoren."  
  
  
Details:  
  
1) Cross Site Scripting Vulnerabilities in main.php  
(arround line 300-310)  
  
...  
  
$sitename = data("sitename");  
$name = $_POST['name'];  
$betreff = $_POST['betreff'];  
$betreff = "Anfrage bei ".$sitename." über ".$betreff."";  
$mail = $_POST['mail'];  
$adminmail = data("adminmail");  
$text = $_POST['text'];  
  
mail($adminmail, $betreff, $text, "From: $name <$mail>");  
  
...  
  
Nothing will be checked so an attacker can send the  
site administrator some shit.  
  
In the complete script you can found this vulnerabilities so i  
mention only one example here.  
  
2) SQL Injection Vulnerability in main.php  
(arround line 335)  
  
...  
  
$anfang = $_GET['anfang'];  
$connect = mysql_query("SELECT head, autor, date, text FROM news   
order by id desc LIMIT $anfang, 10");  
  
...  
  
3) Public phpinfo() in php.php  
(arround line 2)  
  
<?  
phpinfo();  
?>  
  
In the php.php file, included in the install files from this script   
is just a phpinfo() command used, so attackers can easy collect  
information about their victims.  
  
4) SQL Injection Vulnerability in main.php  
(arround line 30-140)  
  
...  
  
$name = $_POST['name'];  
$pass = md5($_POST['pass']);  
$passwdh = md5($_POST['passwdh']);  
$mail = $_POST['mail'];  
  
$anrede = $_POST['anrede'];  
$vorname = $_POST['vorname'];  
$nachname = $_POST['nachname'];  
  
$gebtag = $_POST['gebtag'];  
$gebmonat = $_POST['gebmonat'];  
$gebjahr = $_POST['gebjahr'];  
  
...  
  
mysql_query("INSERT INTO user ( name, pass, mail, ip, status, register, anrede, vorname, nachname,  
strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, `int5`, `int6`, `int7`,  
`int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, `int16`, `int17`,  
`int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, bespaidmails ) VALUES  
( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', '$vorname', '$nachname', '$strasse', '$hausnr',  
'$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', '$int5', '$int6', '$int7',  
'$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', '$int15', '$int16', '$int17',  
'$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', '0' )");  
  
...  
  
If magic_quotes_gpc is off, then you can directly inject malicious SQL code.  
  
The same in (for example):  
  
line 1366-1369  
line 1519-1520  
line 1768-1769  
...  
  
  
Proof of Concept:  
  
index.php?area=news&anfang=0/*  
  
  
Note:  
  
It is strongly recommended to update your script by yourself.  
Check out some other insecure handlings, like the logout handling with not overwrites   
the existence cookie.  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.3  
  
iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN  
4uKl2tTrA802OsBlya53Vj8=  
=d7Dx  
-----END PGP SIGNATURE-----  
`