ZH2003-22SA (security advisory): Zorum XSS Vulnerability and Path Disclosure

Type securityvulns
Reporter Securityvulns
Modified 2003-08-12T00:00:00


phpWebSite SQL Injection & DoS & XSS Vulnerabilities

PRODUCT: phpWebSite VENDOR: Appalachian State University VULNERABLE VERSIONS:

   - 0.9.x
   - 0.8.x
   - 0.7.x
   - And older versions.


- ?


phpWebSite provides a complete web site content management system. Web- based administration allows for easy maintenance of interactive, community-driven web sites.


I encountered SQL Injection vulnerabilities in some of the phpWebSite modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial of Service attack.


I encountered SQL Injection vulnerabilities in the Calendar module , active in default configurations , that allows you to execute SQL queries in the target server with the privileges of the application user.

When you send a special-crafted command url to the Calendar script you get a SQL error flag like this:

DB Error: syntax error select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED VALUE]0110)) and active=1 [nativecode=1064 ** You have an error in your SQL syntax near '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]

This is an example error flag:

DB Error: syntax error select * from mod_calendar_events where ((startDate >= 2003\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1 [nativecode=1064 ** You have an error in your SQL syntax near '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110 and endDate ' at line 1]

For get this you must use this simple url:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&year=2003%00-1&month=

And you get the SQL Error flag. The error occurs when the query includes the crafted value 2003[%00 = null]-1 . You can design a successful query for get configuration values or authentication data. I desgined an url that makes a successful query ( no hostile query ) :

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or% 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29% 29%20and%20active%3d1

it is ( without url encoding ) :

2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <= 20071205)) and active=1

It is needed to have a little knowledge of SQL ( in this case , MySQL ) for make a successful attack.

Other scripts of the Calendar module are affected by this hole , when you send a crafted request like a + symbol at critical url variable value you get the "pure" sql server error flag and you can imagine ( i like this word ) a sql query for view private information of the application by looking at the error pages , like an try-error method.

Another urls for probe are:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=0&year=<

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=1%00&year=)SQL_INJECTION_FAKU

| XSS | | vulnerabilities|

I encountered XSS security holes in some scripts of phpWebSite :

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user] =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php? module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE] &MMN_position=[X:X]

http://[HOST]/[PATH]/index.php? module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]

Note that the Calendar & PageMaster & Fatcat modules are affected COMPLETLY and all the script variables that are passed by url are affected too by this.

When you access a hostile link with a xss attack in those scripts youur browser will execute the script commands. This can be use for steal cookies , authentication tokens and other private information. If your browser is vulnerable to other holes ( like MSIE ;-) you can have more problems...


If you send a crafted url command with a XSS attack code to some of the scripts that are vulnerable against sql injection vulnerabilities , the xss attack code will be executed in the error page.


I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and versions:

  • Sambar Server 5.2 beta
  • PHP 4.2.3 running as ISPAI module
  • MySQL NT [normal service] 3.23.56
  • Include_Path to the pear folder of phpwebsite

Sending this:[view] =month&month=11&year=9 # You can try other things and get the same #

you get this:

Warning: localtime(): invalid local time in C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

Warning: localtime(): invalid local time in C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

<- more than fifty repetitions of this warning ->

It is a strange error , i think that it only occurs in MSWindows installations. Possible it occurs when the Pear library TimeZone.php script tries to convert the localdate in unix time stamp format.


There is a DoS/Buffer Overflow Attack in a script inside the Calendar module that allows you to crash the host running the MySQL server and the phpWebSite scripts ( must be the same computer ).

This is a basic proof of concept for this vulnerability :

http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]= [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )

An attack like this causes a system global crash including the server service and the mysql service.

| SoLuTiOnS |

1.- Be sure that the user of the phpWebSite database has only SELECT , INSERT and UPDATE privileges in only the phpWebSite database.

2.- Use the php function eregi_replace for prevent XSS attacks.

3.- Turn php_error_flags to Off .

4.- Use in addition an external module if you are using apache like mod_security .

5.- If you are paranoic don't use PHP , MySQL , Windows , Linux , computers , tcp/ip , netbios , games , asp , Apache...... nothing ! WARNING ;-) : ( paranoic solution... )


Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ****** www.novappc.com security.novappc.com www.lorenzohgh.com ____