TUCoPS :: Web :: Guestbooks :: b06-3686.htm

Professional PHP Tools Guestbook Multiple Vulnerabilities
Professional PHP Tools Guestbook Multiple Vulnerabilities
Professional PHP Tools Guestbook Multiple Vulnerabilities


      Advisory: Professional PHP Tools Guestbook Multiple Vulnerabilities=0D
  Release Date: 2006/06/17=0D
 Last Modified: 2006/07/17=0D
        Author: Tamriel [tamriel at gmx dot net]=0D
   Application: Professional PHP Tools Guestbook=0D
          Risk: Medium=0D
 Vendor Status: contacted | no patch available=0D
Vendor Site: www.php-tools.eu=0D 
=0D
=0D
 Overview:=0D
=0D
Quote from wwww.php-tools.eu=0D 
=0D
   "Dieses einfache Gaestebuch kann auf jedem Webspace =0D
    mit PHP 5 und MySQL Unterstuetzung installiert =0D
    werden. Es sind Smilies ein BBCode integriert. =0D
    HTML ist aus Sicherheitsgruenden deaktiviert. Dem =0D
    Webmaster steht eine einfache Webadministration =0D
    zur Verf=FCgung, mit der er alle Eintraege bequem =0D
    verwalten kann. Er ist auch in der Lage eine oder =0D
    mehrere IP Adressen f=FCr das Gaestebuch zu sperren."=0D
=0D
 Details:=0D
=0D
   1) SQL Injection Vulnerability in class.php=0D
      (arround line 75-115)=0D
=0D
      ...=0D
=0D
      $hidemail = $_POST['hidemail'];=0D
=0D
      ...=0D
=0D
      mysql_query("INSERT INTO gbook ( name, mail, hidemail, datum, ip, =0D
      text ) VALUES ( '$name', '$mail', '$hidemail', '$date', '$ip', '$text' ) ");=0D
=0D
      ...=0D
=0D
      Here the programer forgot something to validate.=0D
=0D
      In the complete script you can found this vulnerabilities so i=0D
      mention only one example here.=0D
=0D
   2) SQL Injection Vulnerabilities in class.php=0D
      (arround line 250 and arround line 260)=0D
=0D
      ...=0D
=0D
      $name = $_POST['name'];=0D
      $mail = $_POST['mail'];=0D
      $ip = $_POST['ip'];;=0D
      $text = $_POST['text'];=0D
	 =0D
      mysql_query("UPDATE gbook SET name='$name', mail='$mail', ip='$ip', text='$text' WHERE id='$entry'");=0D
=0D
      ...=0D
=0D
      mysql_query("DELETE FROM gbook WHERE id='$entry'");=0D
      include(config('tpl_dir').'/del.tpl');=0D
=0D
      ...=0D
=0D
      As an admin you can insert enough SQL Code. Its not celver to=0D
      trust every person who has admin access.=0D
=0D
 Version note:=0D
=0D
      I havent found some information about the actual version of this script, so take a look on the=0D
      md5 hashes of my proofed files:=0D
=0D
      9f3f1e28f6a449b51bda7f57d7cfbb48 class.php=0D
      c27de7365648eb554c3a4cab83895015 delcookie.php=0D
      faca302875997b345ab4912465df06e4 setcookie.php=0D
=0D
 Note:=0D
=0D
   1) You can found some other insecure handlings, like the administration login in setcookie.php=0D
=0D
      ...=0D
=0D
      include('config.php');=0D
      if ( md5(config('admin_pass')) == $_GET['pass'] )=0D
        {=0D
         setcookie('gbook', $_GET['pass'], time()+2419200);=0D
        }=0D
=0D
      ...=0D
=0D
      Attackers can here easy brute the password.=0D
=0D
   2) delcookie.php=0D
=0D
      ...=0D
=0D
      setcookie('gbook', $_COOKIE['gbook'], time()-2419200);=0D
=0D
      ...=0D
=0D
      The logout handler does not overwrites the existence cookie, so attackers can=0D
      read out (for example on shared computer systems) the admin's password hash after logout.=0D
=0D
 Solution:=0D
=0D
      Use the php's mysql_real_escape_string, to call MySQL's library function mysql_real_escape_string, =0D
      which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.=0D
=0D
      In the delcoookie.php replace "setcookie('gbook', $_COOKIE['gbook'], time()-2419200);" with=0D
      "setcookie('gbook', '', time()-2419200);".=0D

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH