|
Advisory: Professional PHP Tools Guestbook Multiple Vulnerabilities=0D
Release Date: 2006/06/17=0D
Last Modified: 2006/07/17=0D
Author: Tamriel [tamriel at gmx dot net]=0D
Application: Professional PHP Tools Guestbook=0D
Risk: Medium=0D
Vendor Status: contacted | no patch available=0D
Vendor Site: www.php-tools.eu=0D
=0D
=0D
Overview:=0D
=0D
Quote from wwww.php-tools.eu=0D
=0D
"Dieses einfache Gaestebuch kann auf jedem Webspace =0D
mit PHP 5 und MySQL Unterstuetzung installiert =0D
werden. Es sind Smilies ein BBCode integriert. =0D
HTML ist aus Sicherheitsgruenden deaktiviert. Dem =0D
Webmaster steht eine einfache Webadministration =0D
zur Verf=FCgung, mit der er alle Eintraege bequem =0D
verwalten kann. Er ist auch in der Lage eine oder =0D
mehrere IP Adressen f=FCr das Gaestebuch zu sperren."=0D
=0D
Details:=0D
=0D
1) SQL Injection Vulnerability in class.php=0D
(arround line 75-115)=0D
=0D
...=0D
=0D
$hidemail = $_POST['hidemail'];=0D
=0D
...=0D
=0D
mysql_query("INSERT INTO gbook ( name, mail, hidemail, datum, ip, =0D
text ) VALUES ( '$name', '$mail', '$hidemail', '$date', '$ip', '$text' ) ");=0D
=0D
...=0D
=0D
Here the programer forgot something to validate.=0D
=0D
In the complete script you can found this vulnerabilities so i=0D
mention only one example here.=0D
=0D
2) SQL Injection Vulnerabilities in class.php=0D
(arround line 250 and arround line 260)=0D
=0D
...=0D
=0D
$name = $_POST['name'];=0D
$mail = $_POST['mail'];=0D
$ip = $_POST['ip'];;=0D
$text = $_POST['text'];=0D
=0D
mysql_query("UPDATE gbook SET name='$name', mail='$mail', ip='$ip', text='$text' WHERE id='$entry'");=0D
=0D
...=0D
=0D
mysql_query("DELETE FROM gbook WHERE id='$entry'");=0D
include(config('tpl_dir').'/del.tpl');=0D
=0D
...=0D
=0D
As an admin you can insert enough SQL Code. Its not celver to=0D
trust every person who has admin access.=0D
=0D
Version note:=0D
=0D
I havent found some information about the actual version of this script, so take a look on the=0D
md5 hashes of my proofed files:=0D
=0D
9f3f1e28f6a449b51bda7f57d7cfbb48 class.php=0D
c27de7365648eb554c3a4cab83895015 delcookie.php=0D
faca302875997b345ab4912465df06e4 setcookie.php=0D
=0D
Note:=0D
=0D
1) You can found some other insecure handlings, like the administration login in setcookie.php=0D
=0D
...=0D
=0D
include('config.php');=0D
if ( md5(config('admin_pass')) == $_GET['pass'] )=0D
{=0D
setcookie('gbook', $_GET['pass'], time()+2419200);=0D
}=0D
=0D
...=0D
=0D
Attackers can here easy brute the password.=0D
=0D
2) delcookie.php=0D
=0D
...=0D
=0D
setcookie('gbook', $_COOKIE['gbook'], time()-2419200);=0D
=0D
...=0D
=0D
The logout handler does not overwrites the existence cookie, so attackers can=0D
read out (for example on shared computer systems) the admin's password hash after logout.=0D
=0D
Solution:=0D
=0D
Use the php's mysql_real_escape_string, to call MySQL's library function mysql_real_escape_string, =0D
which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.=0D
=0D
In the delcoookie.php replace "setcookie('gbook', $_COOKIE['gbook'], time()-2419200);" with=0D
"setcookie('gbook', '', time()-2419200);".=0D