Hi!

Ok, another announce about a php application containing unslashed
SQL-Queries and bad include/require statements.

Several problems in 123tkshop

What is 123tkshop?

123tkshop is a ecommerce software written in php.
It's providing a full featured online shop.
More information are available at: <http://www.123tkshop.org/&gt;

include + NULL problem

Problem description

There are several include statements which use variables passed by
the user. So if register_globals is on and magic_quotes_gpc is off you
are able to read any file on the webserver:
function_foot_1.inc.php
[…]
include("styles/$designNo/footer.php");
[…]

So what's the problem with NULL?

If $designNo contains NULL (aka \0 or %00) the include statement ignores
everything after the NULL and includes the file.
Here's some metacode explaining the behavior:
foobar.php looks like this:
<?php
include("…/".$input."blubb");
?>

Calling the file with the following parameter:
foobar.php?input=bla%00bla

results in (with enabled magic_quotes_gcp):
<br />
<b>Warning</b>: Failed opening '…/bla\0blablubb' for inclusion
(include_path='.:/usr/local/lib/php') in
<b>/home/user/public_html/foobar.php</b> on
line
<b>2</b><br />

This doesn't seem to be exploitable, but what happens, if magic_quotes_gcp
is
turned off (like on php.ini-recommened, for performance reasons, without
pointing to THIS kind of problem)?:
<br />
<b>Warning</b>: Failed opening '…/bla' for inclusion
(include_path='.:/usr/local/lib/php') in
<b>/home/user/public_html/foobar.php</b> on line
<b>2</b><br />

Huh?! Did you get it? Everything after NULL (%00) is ignored!
So what can we do now? We can take a look at the avaiable users:
foobar.php?input=…/…/…/etc/passwd%00

Voila…
You can open every file you want. Ok, not every file. It has to be
readable by the http-user, like wwwrun or www.

And the solution?

One can test, if a file exists with the function file_exists(). This
function doesn't ignore the characters after NULL.
On the other side, one could try to avoid using userdata to open a file.

Fix?

The author released a new version (0.3.1) that checks every file being
included.
You can download it at <http://www.123tkshop.org/&gt;.
If you aren't able to update an older version, enable
"magic_quotes_gqc".
See <http://php.net/security&gt; for further information about securing php
applications.

missing addslashes()

Problem description

A lot of data passed (there are just a few exeptions) to mysqld
is NOT checked for control characters like ', " et al.
So one is able to commit injected sql queries.
The problem exists, when magic_quotes_gpc is turned off.

function_describe_item1.inc.php is one of the dangerous files.

For further information about dangerous sql queries see:
*
<http://www.php.net/manual/en/security.database.php#security.database.sql-injection&gt;.

• <http://www.google.com/search?q=sql+injection+problem&gt;

And the solution?

One can use addslashes() for every data a user enters and is submitted
to the database.
Lazy people hope, that magic_quotes_gpc is enabled. Never expect, that an
admin configured a webserver correct, try to start the security at
application level.

Fix?

The author will release a new version ASAP.

Credits

For the german-speaking folk: <http://bluephod.net/&gt;

–
GMX - Die Kommunikationsplattform im Internet.
http://www.gmx.net