Chipmailer <= 1.09 Multiple Vulnerabilities

2006-06-15T00:00:00
ID SECURITYVULNS:DOC:13177
Type securityvulns
Reporter Securityvulns
Modified 2006-06-15T00:00:00

Description

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1

 Advisory: Chipmailer <= 1.09 Multiple Vulnerabilities

Release Date: 2006/06/13 Last Modified: 2006/06/13 Author: Tamriel [tamriel at gmx dot net] Application: Chipmailer <= 1.09 Risk: Medium Vendor Status: no patch available Vendor Site: chipmailer.de

Overview:

Quote from http://chipmailer.de

"Der Chipmailer ist ein Paidmail Script der neuesten Generation, welches mit Attraktiven Vorteilen winkt. Dieses Script hat sehr viele Funktionen fьr Benutzer, Sponsoren sowie fьr Administratoren."

Details:

1) Cross Site Scripting Vulnerabilities in main.php (arround line 300-310)

  ...

  $sitename = data&#40;&quot;sitename&quot;&#41;;
  $name = $_POST[&#39;name&#39;];
  $betreff = $_POST[&#39;betreff&#39;];
  $betreff = &quot;Anfrage bei &quot;.$sitename.&quot; ьber &quot;.$betreff.&quot;&quot;;
  $mail = $_POST[&#39;mail&#39;];
  $adminmail = data&#40;&quot;adminmail&quot;&#41;;
  $text = $_POST[&#39;text&#39;];

  mail&#40;$adminmail, $betreff, $text, &quot;From: $name &lt;$mail&gt;&quot;&#41;;

  ...

  Nothing will be checked so an attacker can send the
  site administrator some shit.

  In the complete script you can found this vulnerabilities so i
  mention only one example here.

2) SQL Injection Vulnerability in main.php (arround line 335)

  ...

  $anfang = $_GET[&#39;anfang&#39;];
  $connect = mysql_query&#40;&quot;SELECT head, autor, date, text FROM news 
  order by id desc LIMIT $anfang, 10&quot;&#41;;

  ...

3) Public phpinfo() in php.php (arround line 2)

  &lt;?
  phpinfo&#40;&#41;;
  ?&gt;

  In the php.php file, included in the install files from this script 
  is just a phpinfo&#40;&#41; command used, so attackers can easy collect
  information about their victims.

4) SQL Injection Vulnerability in main.php (arround line 30-140)

  ...

  $name = $_POST[&#39;name&#39;];
  $pass = md5&#40;$_POST[&#39;pass&#39;]&#41;;
  $passwdh = md5&#40;$_POST[&#39;passwdh&#39;]&#41;;
  $mail = $_POST[&#39;mail&#39;];

  $anrede = $_POST[&#39;anrede&#39;];
  $vorname = $_POST[&#39;vorname&#39;];
  $nachname = $_POST[&#39;nachname&#39;];

  $gebtag = $_POST[&#39;gebtag&#39;];
  $gebmonat = $_POST[&#39;gebmonat&#39;];
  $gebjahr = $_POST[&#39;gebjahr&#39;];

  ...

  mysql_query&#40;&quot;INSERT INTO user &#40; name, pass, mail, ip, status, register, anrede, vorname,

nachname, strasse, hausnr, plz, stadt, land, geb, `int1`, `int2`, `int3`, `int4`, `int5`, `int6`, `int7`, `int8`, `int9`, `int10`, `int11`, `int12`, `int13`, `int14`, `int15`, `int16`, `int17`, `int18`, `int19`, `int20`, `int21`, newsletter, werber, paidmails, bespaidmails ) VALUES ( '$name', '$pass', '$mail', '$ip', '2', '$date', '$anrede', '$vorname', '$nachname', '$strasse', '$hausnr', '$plz', '$stadt', '$land', '$geb', '$int1', '$int2', '$int3', '$int4', '$int5', '$int6', '$int7', '$int8', '$int9', '$int10', '$int11', '$int12', '$int13', '$int14', '$int15', '$int16', '$int17', '$int18', '$int19', '$int20', '$int21', '$newsletter', '$werber', '0', '0' )");

  ...

  If magic_quotes_gpc is off, then you can directly inject malicious SQL code.

  The same in &#40;for example&#41;:

      line 1366-1369
      line 1519-1520
      line 1768-1769
      ...

Proof of Concept:

  index.php?area=news&amp;anfang=0/*

Note:

  It is strongly recommended to update your script by yourself.
  Check out some other insecure handlings, like the logout handling with not overwrites 
  the existence cookie.

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3

iD8DBQFEjyQrqBhP+Twks7oRArnAAKCS99/tPofih3VT5r7rEPS3wcq5oQCfckFN 4uKl2tTrA802OsBlya53Vj8= =d7Dx -----END PGP SIGNATURE-----