rt-sa-2006-005.txt

`Advisory: Unauthorized password recovery in phpBannerExchange  
  
RedTeam identified an SQL injection that can be triggered due to a bad  
user input sanitization in phpBannerExchange. It is possible to recover  
a password of an user and thereby overtake his account.  
  
  
Details  
=======  
  
Product: phpBannerExchange  
Affected Versions: All versions up to phpBannerExchange 2.0 RC5  
Fixed Versions: 2.0 RC6  
Vulnerability Type: Bad user input sanitization, SQL injection  
Security-Risk: medium  
Vendor-URL: http://www.eschew.net/scripts/phpbe/2.0/  
Vendor-Status: informed, fixed version released  
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt  
Advisory-Status: public  
CVE: CVE-2006-3013  
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3013  
  
  
Introduction  
============  
  
From the vendor's homepage:  
phpBannerExchange is a PHP/mySQL script that allows virtually anyone  
with minimal knowledge of PHP, mySQL and web hosting to run their own  
banner exchange.   
  
  
More Details  
============  
  
If a user forgot the password of his phpBannerExchange account, he  
can reset it by supplying his email address.  
In "resetpw.php" the variable $email contains this email address,  
which is then validated by a regular expression.  
  
[...]  
42 if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*  
(\.[a-z]{2,3})$", $email)){  
[...]  
  
Due to a bug in the implementation of eregi(), it is possible to pass  
additional characters by using a Null Byte "\0". Because the backend  
of eregi() is implemented in C, $email is treated as a zero-terminated  
string. All characters starting from the Null Byte on will not be  
recognized by the regular expression. Therefore you can pass an email  
address, that includes the special character "'" to break the following  
SQL query:  
  
[...]  
48 $get_info=mysql_query("select * from banneruser where   
email='$email'");  
[...]  
  
After that, a new password for the chosen user is generated and sent via  
  
[...]  
68 mail($email,$usrsubject,$usrcontent,"From: $ownermail");  
[...]  
  
Note that mail() will treat $email as a zero-terminated string, too.  
Thereby, an attacker can reset the password of a user account and send  
it to his own email address.  
  
  
Proof of Concept  
================  
  
Use following URLs with your favorite web browser:  
  
http://example.com/phpbe/resetpw.php?  
submit=&[email protected]%00'or email='[email protected]  
  
to retrieve the password of the user with the email address  
"[email protected]" or  
  
http://example.com/phpbe/resetpw.php?  
submit=&[email protected]%00'or id='1  
  
to retrieve the password of the user with user id "1".  
  
  
Workaround  
==========  
  
Use PHP Magic Quotes.  
  
  
Fix  
===  
  
Upgrade to version 2.0 RC6  
  
  
Security Risk  
=============  
  
The security risk is high because an attacker could gain access to an  
administrator account and view and alter the database and hereby compromise  
the whole application.  
  
  
History  
=======  
  
2006-06-09 Discovery of the problem  
2006-06-10 Vendor is informed  
2006-06-12 Vendor released fixed version  
  
References  
==========  
  
[1] http://www.eschew.net/scripts/phpbe/2.0/  
  
  
RedTeam  
=======  
  
RedTeam Pentesting is offering individual penetration tests, short  
pentests, performed by a team of specialised IT-security experts.  
Hereby, security weaknesses in company networks are uncovered and can be  
fixed immediately.  
  
As there are only few experts in this field, RedTeam wants to share its  
knowledge and enhance the public knowledge with research in security  
related areas. The results are made available as public security  
advisories.  
  
More information about RedTeam can be found at  
http://www.redteam-pentesting.de.  
  
--   
RedTeam Pentesting Tel.: +49-(0)241-963 1300  
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304  
52068 Aachen http://www.redteam-pentesting.de  
`