VWar Cross Site Scripting / SQL Injection / Broken Access Controls

`Back in April 2008 I found a bunch of vulnerabilities in PHP clan management  
system, however the project had just changed hands. Since then the new  
project leader has been assuring me that new secure release which fixed all  
the found issues was just around the corner. Over two years later I remember  
I'm still hanging on to these issues, so I think it is time to release them,  
patch or not. The SQL injection issue was released on  
http://www.securityfocus.com/bid/29001 back in May 2008, as project reverted  
to an older version which was not vulnerable to this issue. Here is the  
orginial list of findings.  
  
Best,  
  
Renski  
  
A copy of this document can be found at dmcdonald.net/vwar.txt  
  
1. SQL Injection  
  
1.1 Summary  
  
An SQL Injection vulnerability has been discovered in the article rating  
system in  
http://mydomain.com/vwar/article.php This issue could be used by an  
attacker to  
deface articles, deny service to other users (DoS), and other SQL  
Injection  
related issues.  
  
1.2 Technical Details  
  
The bug itself is in vwar/article.php, line 44  
  
39 if (is_numeric($GPC["rate"])){  
40 if ($GPC["ratearticleselect"] && $GPC["ratearticleselect"]  
<= 6){  
41  
42 $vwardb->query("UPDATE vwar".$n."_article  
43 SET  
44 articleratingpoints =  
articleratingpoints+".$GPC["ratearticleselect"].",  
45 articlerated = articlerated+1  
46 WHERE articleid = '".$GPC["rate"]."'");  
47  
48 $redirecturl =  
"article.php?articleid=".$GPC["rate"];  
49 include ($vwar_root . "includes/get_header.php");  
50  
eval("\$vwartpl->output(\"".$vwartpl->get("message_confirmation")."\");");  
51 include ($vwar_root . "includes/get_footer.php");  
52 exit();  
53 } else {  
54 ...  
  
A proof of concept can be seen in the following post request which  
results in  
the main body of the article being replaced with the text 'NGS TEST'  
  
POST /vwar/article.php?rate=1 HTTP/1.1  
Host: mydomain.com  
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.13)  
Gecko/20080311 Firefox/2.0.0.13  
Accept:  
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5  
Accept-Language: en-gb,en;q=0.5  
Accept-Encoding: gzip,deflate  
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7  
Keep-Alive: 300  
Proxy-Connection: keep-alive  
Referer: http://mydomain.com/vwar/article.php?articleid=1  
Content-Type: application/x-www-form-urlencoded  
Content-Length: 64  
  
ratearticleselect=5, article = char(78,71,83,32,84,69,83,84)  
  
It is also possible to cause vwar to run out of memory when attempting  
to  
display the article by setting ratearticleselect to a high enough value,  
for example;  
  
ratearticleselect=5%2b999999  
  
when the article in question is requested by a user, vwar will run out  
of memory  
attempting to generate html containing vast numbers of IMG tags to  
display the  
star rating.  
  
1.3 Workaround  
  
There is no known workaround for this issue.  
  
2. Stored Cross Site Scripting (XSS)  
  
2.1 Summary  
  
Five entry points for stored XSS have been found in the following  
locations  
  
http://mydomain.com/vwar/challenge.php  
http://mydomain.com/vwar/joinus.php  
http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1  
http://mydomain.com/vwar/profile.php  
  
However, there are likely to be more as vwar uses a common set of text  
parsers  
to protect again XSS and SQL code injection.  
  
This issue can be used to attack other users of the vwar system,  
including the  
administrators, as data inputed on these forms is often sent for  
administrator approval.  
The results can include session highjacking, which would allow an  
attacker to take  
gain admin access.  
  
2.2 Technical Details  
  
Issue 1: http://mydomain.com/vwar/challenge.php - Additional Information  
input field  
Issue 2: http://mydomain.com/vwar/joinus.php - Additional Information  
input field  
Issue 3:  
http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1 - War  
Report input field  
Issue 4: http://mydomain.com/vwar/profile.php - Nick input field  
Issue 5: http://mydomain.com/vwar/joinus.php - Contact information input  
field  
  
The Vwar system filters out <script> tag to prevent XSS, but allows  
image (IMG) tags,  
where javascript can be executed on the 'onload', 'onerror', and similar  
events. If so, as  
these forms are often sent to users there is the potential for an  
attacker to high-jack the  
session of another user, including a user with administrator access.  
  
A proof of concept which work with all five issue can be seen by  
entering the follow html in  
the vulnerable fields  
  
<IMG src='' onerror=alert(document.cookie)>  
  
2.3 Workaround  
Risk from issues 1, 2, 3, and 5 can be mitigated by setting turning the  
following  
settings to 'Off' in the adminstrators settings page.  
  
HTML Code (Default On)  
Enable Challenge Requests (Default On)  
Enable Join Requests (Default On)  
  
There is no known workaround for issue 4.  
  
3. Broken Access Controls  
  
3.1 Summary  
  
There is lack of access controls in http://mydomain.com/vwar/popup.phpin the  
print view system which allows an attacker to view articles normally  
restricted  
to users of the system.  
  
3.2 Technical Details  
  
It is possible to access member only news posts by using the printnews  
action  
though the newsid field in popup.php. For example, assuming article 3 is  
hidden  
from public view this following url will allow access to a user who has  
not  
logged in.  
  
http://mydomain.com/vwar/popup.php?action=printnews&newsid=3  
  
where as http://mydomain.com/vwar/news.php?newsid=3 and  
http://mydomain.com/vwar/news.php correctly do not return the news  
article  
unless requested by a valid user.  
  
3.3 Workaround  
  
There is no known workaround for this issue.  
  
4. Weak Password Generation  
  
4.1 Summary  
  
VWar has a fault with it's random password generation function which is  
used  
during account creation and the forgotten password functionality.  
Passwords  
generated this way are highly likely be one of a set of 60 passwords.  
  
Vwar has no account lock out system in place to stop an attacker  
attempting  
to brute force a password of a valid user, meaning that an attacker with  
an  
automated tool can gain access to an account with a randomly generated  
password in only a few seconds.  
  
4.2 Technical Details  
  
The bug is in vwar/includes/functions_common.php on line 724  
  
716 function createRandomPassword ($passlen=15,$chars="")  
717 {  
718 $chars = trim($chars);  
719 if(empty($chars)) $chars =  
"aAb0Bc\$CdD1eEfF2gGh%3HiIj§J4kKl5Lm6MnNo7&OpPqQrR6sStTuUvV9wWxXyYzZ§$%&";  
720  
721 $charlen = strlen($chars);  
722 for ($i = 0; $i < $passlen; $i++)  
723 {  
724 mt_srand(date("s", time() + $i * 4567));  
725 $password .= substr($chars,mt_rand(1,$charlen),1);  
726 }  
727  
728 return $password;  
729 }  
  
The mt_srand function is seeded with the number of seconds of the  
current  
system time, a limited set of 60 ('00' to '59'). As the seed  
predetermines the  
password which will be generated by this function, it is high likely  
that the  
password will be one of a set of only 60.  
  
It is possible (although unlikely) that createRandomPassword could run  
during the transition of one second to the next, meaning there is a  
total of 420  
possible password which could be generated.  
  
With the designed user enumeration in  
http://mydomain.com/vwar/admin/index.php?login=1  
and other locations combined with the forgotten password functionality  
makes it trival  
to gain access to any account  
  
4.3 Workaround  
  
Users with default or reset passwords should be encouraged to reset them  
manually to new secure passwords. However  
  
5. Static Session Cookies  
  
5.1 Summary  
  
VWar's session cookies are static, meaning that a user will always be  
given the  
same sesion cookie. VWar will also allow authentication based solely on  
this  
cookie. If an attacker obtainers a users session cookie (trival using  
finding 2),  
session time outs and the logout function will not disrupt an attacker's  
activities.  
  
5.2 Technical Details  
  
The session cookie is created by running the php function md5 on the  
users  
md5 hashed password, causing the session id to be static.  
  
5.3 Workaround  
  
There is no known workaround for this issue.  
`