what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

phpWebSite.txt

phpWebSite.txt
Posted Sep 9, 2004
Authored by James Bercegay | Site gulftech.org

GulfTech Security Research - phpWebSite versions 0.9.3-4 and prior are susceptible to cross site scripting, SQL injection, script injection, and command execution vulnerabilities.

tags | advisory, vulnerability, xss, sql injection
SHA-256 | 193d3f7bf29951ce40a35cc4e059662ef4bd62391eea6a3038761387aabb6ab1

phpWebSite.txt

Change Mirror Download
##########################################################
# GulfTech Security Research August, 31st 2004
##########################################################
# Vendor : phpWebSite Development Team
# URL : http://phpwebsite.appstate.edu/
# Version : phpWebsite 0.9.3-4 And Earlier
# Risk : Multiple Vulnerabilities
##########################################################


Description:
phpWebSite provides a complete web site content management
solution. All client output is valid XHTML 1.0 and meets the
W3C's Web Accessibility Initiative requirements. Currently
features: announcement posting, form generator, user
management with granulated administration, calendar, poll,
faq, photoalbum, bulletin board, rss feeds, user
customizable theme support and more. It is one of the most
popular content managment systems in the world.



SQL Injection:
The calendar module of phpWebsite allows users to submit
their own events to the calendar. Upon approval by an admin
(or in some cases the admin doesn't need to approve it, but
this is not a default setting) certain data that was earlier
supplied by the user earlier is then entered into the
database. It could be possible for an attacker to insert
malicious statements via the "cal_template" field and then
influence the UPDATE query when it is executed. By default
I believe the calendar module allows anyone to submit a new
event for approval.



Cross Site Scripting:
The phpWebsite developers have done a good job of filtering
get requests that are passed to the application. However I
have found one place for a Cross Site Scripting attack to
take place, and that is the comments module.

/index.php?module=comments&CM_op=replyToComment&CM_pid=1[XSS]

The above url will render the specified code in the browsers
of both guest users, and logged in users.



Script Injection:
When sending users private messages via the notes module it
is possible to input script or html etc into both the subject
and the message fields of the note. When a user visits their
notes module, or reads the note, the code will then be executed.
This can be very dangerous and used to force command execution.



Forced Command Execution:
phpWebsite's only major flaw I have seen is the VERY unsafe use
of the get method (RFC 2616 9.1.1) The lack of an auth check
before executing key functions is not good either. The code and
the overall app is very nice, but this one issue allows for a
user to gain admin privileges and much more. Let's say a malicious
user would like to become admin of a phpWebsite, or perform some
admin functions such as delete a user they are not very fond of
such as the site admin :P This is all very much possible, easy
to do, and not very noisy at all. What we need to do is find a
way to force an admin, or user to perform a get request to the
desired command so that is executed by them. Well, with the XSS
and Script Injection vulns I mentioned earlier this becomes a
VERY easy task. An attacker could use the previously mentioned
vulns and send the malicious request in an image, iframe or any
other appropriate tags and have them executed via the private
message injection vuln, or the comments module xss issue. The
stuff I just mentioned all makes get requests, but it is easy
to force a user to make post requests too. This can be done via
a bit of javascript that automatically submits the form, and the
private message feature which allows javascript to be sent. Now
here are some examples of the vulns.

/index.php?module=users&user_op=user_deify&deification=bestow&user_id=4
/index.php?module=users&user_op=turnOnAdmin&user_id=4
/index.php?module=users&user_op=deleteUser&confirm=yes&user_id=2

This sent to an admin in a pm will set the attacker to the deity
level, make the attacker an admin, and then delete the admin
from their own website. This example has the attacker as the user
id number 4 and the admin as number 2. of course these will have
to be changed in most cases to work. Now just send the following
data in [img] tags, or a html img tag to the desired administrator
and then log in to your new super user account.

This issue affects almost all if not all of the components on the
phpWebsite so I am not going to include an example of every little
place that this issue is present, but I will include examples of
the more popular components such as the phpWebsite message board
phpwsbb. This example will delete a desired forum, and then ban
a specified user's (an admin maybe?) name and ip address.

/index.php?module=phpwsbb&PHPWSBB_MAN_OP=banusername&PHPWS_MAN_ITEMS[]=jeiar
/index.php?module=phpwsbb&PHPWSBB_MAN_OP=banip&PHPWS_MAN_ITEMS[]=127.0.0.1
/index.php?module=phpwsbb&PHPWSBB_MAN_OP=deleteforum&PHPWS_MAN_ITEMS[]=1&opt
ion_yes=yes

Just put those url's inside of an [img] tag or an html image tag
and the commands will likely be executed successfully. This also
works for the deletion of posts, and just about anything else too.



Solution:
I would like to thank Matthew McNaney and the rest of the dev
team for a prompt response and professional attitude. These guys
care very much about the security of their product, and the well
being of the users.

http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=vie
w&ANN_id=822

The updated security patches can be downloaded at the above link.
The RFC 2616 security issues will be addressed in the next release
of phpWebsite due out at the end of the year. The next release will
address these issues by requiring a valid authentication key for
actions taken. It should be a great improvement and I believe it
will help make phpWebsite one of the most secure open source
content management systems around.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00048-08312004



Credits:
James Bercegay of the GulfTech Security Research Team
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close