phpMyRecipes version 1.x.x suffers from cross site request forgery, cross site scripting, and remote SQL injection vulnerabilities.
717dd33446428aed6b6a79a2fadd94fc507d0138e82b80c3ab389ab431f81f92
*#Product: phpMyRecipes version 1.x.x
*#Vulnerability: Multiple SQL Injection, XSS and CSRF Vulnerabilities*
*#Impact: High*
*#Authors: Rafay Baloch And Sikandar Ali*
*#Company: RHAinfoSEC *
*#Website: http://rhainfosec.com
Introduction
============
"PhpMyRecipes is a simple application for storing and retrieving recipes.
It uses a web-based interface, for ease of use
across any system, and a MySQL database backend for storing the recipes."
Description
===========
We performed both whitebox/Blackbox test for phpMyRecipies and managed to
find large number of high risk vulnerabilities.
The application is poorly coded from a security perspective as it doesn't
offer any kind of filtering mechanism for
separating normal input with malicious input.
Vulnerabilities
===============
Several High risk vulnerabilities such as SQL Injection, XSS etc were
discovered. We have provided the vulnerable code for
some of the vulnerabilities. Full details have been sent to the Vendor, so
that they may apply patches accordingly.
Multiple Cross Site Scripting Vulnerabilities
=============================================
Multiple XSS vulnerabilities were found, the user input was not sanitised
before it was returned to the user. It is
advised to filter all the special characters before displaying back the
input to the user.
Details And POC's
=================
1) http://target.com?r_id=[XSS]
2) http://target.com/ingredients/ingredients.php?from=[XSS]
3) http://target.com/login.php
REQUEST
=======
POST /login.php HTTP/1.1
Content-Length: 89
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
password=Uname&username=[XSS]
4) http://recipes.delattre.ca/domenusearch.php
REQUEST
=======
POST /domenusearch.php HTTP/1.1
Content-Length: 194
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: Target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
r_acategory[]=5[XSS]&r_arecipes[]=0&r_days=17&r_dcategory[]=5&r_drecipes[]=0&r_mcategory[]=5&r_mrecipes[]
=0&r_servings=1&r_step=2
All Post Parameters were found vulnerable to XSS.
5)http://target.com/register.php
REQUEST
=======
POST /register.php HTTP/1.1
Content-Length: 158
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
email=aa@gmail.com[XSS]&name=XSS&password1=XSS&password2=XSS&username=XSS
#Note: All parameters were found vulnerable to Cross Site Scripting.
Multiple SQL Injection Vulnerabilities
======================================
Multiple SQL Injection Vulnerabilities were addressed, The user input is
directly being inserted into the SQL queries
without any proper santisation or filtering.
1) http://target.com/dosearch.php
POST DATA
categories[]=1[Inject_HERE]&ingids[]
=20&ing_modifier=2&name_exact=riuciyda&words_all=1&words_any=1&words_exact=1&words_without=1
=================================================
2) http://target.com/ingredients/ingredients.php?from=[INJECT_HERE]
Vulnerable Code
===============
if (! empty($_POST['from'])) {
$db_start = $_POST['from'];
} elseif (! empty($_GET['from'])) {
$db_start = $_GET['from'];
} else {
$db_start = 0;
}
<TABLE BORDER=3 WIDTH=100%>
<TR>
<TH WIDTH=85%>Ingredient</TH>
<TH COLSPAN=2>Actions</TH>
</TR>
<?php
if ($result = mysql_query("SELECT id,name from ingredients ORDER BY
name LIMIT $db_start, " . INGREDIENTS_PER_PAGE)) {
while ($row = mysql_fetch_array($result)) {
?>
2) http://target.com/recipes/textrecipe.php?r_id=[INJECT_HERE]
Vulnerable Code
===============
Line 37 - 42
# Get the recipe ID to view
$r_id = $_GET['r_id'];
if (! ($result = mysql_query("SELECT name FROM recipes WHERE id=
$r_id"))) {
dberror("textrecipe.php", "Cannot select recipe");
}
3) http://target.com/
REQUEST
=======
POST /domenutext.php HTTP/1.1
Content-Length: 221
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
0=1&1=1&2=1&3=1&4=1&5=1&6=1&7=1&8=1&r_acategory[]=17&r_arecipes[]=[INJECT_HERE]&r_days=17&r_dcategory[]=5&r_drecipes[]
=0&r_mcategory[]=5&r_mrecipes[]=0&r_servings=1&r_step=3
4) http://target.com/dosearch.php
REQUEST
=======
POST /dosearch.php HTTP/1.1
Content-Length: 127
Content-Type: application/x-www-form-urlencoded
Referer: http://target.com
Host: target.com
Connection: Keep-alive
Accept-Encoding: gzip,deflate
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/28.0.1500.63 Safari/537.36
Accept: */*
categories[]=[INJECT_HERE]&ingids[]
=20&ing_modifier=2&name_exact=aaaaaaa&words_all=1&words_any=1&words_exact=1&words_without=1
Multiple CSRF Vulnerabilities
=============================
All forms were missing CSRF tokens, including some of the important ones
which would had allowed an attacker to force the
victim's browser into submitting a request which in return would had been
used to manipulate important details such as
changing email address, username etc. In our analysis, we found no CSRF
tokens to identify a legitimate request sent by
the user VS an attacker who forced victim's browser to send requests.