rt-sa-2006-004.txt

`Advisory: Authentication bypass in phpBannerExchange  
  
RedTeam identified two SQL injections in phpBannerExchange. It is  
possible to bypass user authentication with them.  
  
  
Details  
=======  
  
Product: phpBannerExchange  
Affected Versions: All versions up to phpBannerExchange 2.0 RC5  
Fixed Versions: 2.0 RC6  
Vulnerability Type: SQL injections  
Security-Risk: medium  
Vendor-URL: http://www.eschew.net/scripts/phpbe/2.0/  
Vendor-Status: informed, fixed version released  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-004.txt  
Advisory-Status: public  
CVE: CVE-2006-3012  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3012  
  
  
Introduction  
============  
  
From the vendor's homepage:  
phpBannerExchange is a PHP/mySQL script that allows virtually anyone  
with minimal knowledge of PHP, mySQL and web hosting to run their own  
banner exchange.  
  
  
More Details  
============  
  
In file "client/stats.php" the variables $login and $pass are not  
sanitized at all.  
  
[...]  
42 $login=$_REQUEST['login'];  
43 $pass=$_REQUEST['pass'];  
[...]  
  
If plaintext password are allowed ($usemd5 != "Y"), following SQL query  
is used:  
  
[...]  
59 $result = mysql_query("select * from banneruser where  
login='$login' AND pass='$pass'");  
[...]  
  
By passing the special character "'" it is possible to alter the SQL  
query and bypass authentication.  
  
A similar vulnerability exists in "admin/stats.php":  
  
[...]  
49 $login=$_SESSION['login'];  
50 $pass=$_SESSION['pass'];  
[...]  
54 $result = mysql_query("select * from banneradmin where   
adminuser='$login'   
AND adminpass='$encpw'");  
[...]  
  
  
Proof of Concept  
================  
  
User login or administrator login:  
Use "'or''='" for both login name and password. You will be  
authenticated as the first user/admin in the database.  
  
  
Workaround  
==========  
  
Use PHP Magic Quotes.  
  
  
Fix  
===  
  
Upgrade to version 2.0 RC6  
  
  
Security Risk  
=============  
  
The security risk is high because an attacker could gain access to an  
administrator account and view and alter the database and hereby  
compromise the whole application.  
  
  
History  
=======  
  
2006-06-09 Discovery of the problem  
2006-06-10 Vendor is informed  
2006-06-12 Vendor releases fixed version  
  
References  
==========  
  
[1] http://www.eschew.net/scripts/phpbe/2.0/  
  
  
RedTeam  
=======  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam wants to share its  
knowledge and enhance the public knowledge with research in security  
related areas. The results are made available as public security  
advisories.  
  
More information about RedTeam can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting Tel.: +49-(0)241-963 1300  
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304  
52068 Aachen http://www.redteam-pentesting.de  
`