what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Hardened-PHP Project Security Advisory 2005-21.80

Hardened-PHP Project Security Advisory 2005-21.80
Posted Nov 9, 2005
Authored by Christopher Kunz, Hardened-PHP Project | Site hardened-php.net

PHPKIT versions 1.6.1 R2 and below suffer from cross site scripting, SQL injection, information disclosure, password hash disclosure, local file disclosure, and arbitrary code execution flaws. Various sample exploitation details provided.

tags | exploit, arbitrary, local, code execution, xss, sql injection, info disclosure
SHA-256 | a91e4d42b773ee597b5ea0162d7a64232a6a053f5d7b8e1af72709197633e2f8

Hardened-PHP Project Security Advisory 2005-21.80

Change Mirror Download
Hash: SHA1

Hardened PHP Project

-= Security Advisory =-

Advisory: Multiple vulnerabilities in PHPKIT
Release Date: 2005/11/07
Last Modified: 2005/11/04
Author: Christopher Kunz <christopher.kunz@hardened-php.net>
Application: PHPKIT 1.6.1 R2 and prior
Severity: Cross-Site Scripting, SQL injection and information
disclosure, password hash disclosure, local file
disclosure, arbitrary code execution
Risk: High / Critical (depending on server configuration)
Vendor Status: No fix available
References: http://www.hardened-php.net/advisory_212005.80.html


PHPKIT [1] is a combined content management, homepage building and community
software written in PHP. Although it is available as open source, it has
to be licensed for any other than private use. PHPKIT has the usual feat-
ures for that kind of product (content editing, forums, user management,
etc.). Typically for content management and portal systems, there are
multiple vulnerabilities in several places in the front- and backend.
The install base for PHPKIT can only be estimated - Google shows about
25,000 results for the query "powered by phpkit" [2].
Since we did not perform a full audit, there is no guarantee that the de-
scribed vulnerabilities are the only ones in the product.


1) XSS
Although the PHPKIT team seems to have made an effort to mitigate attacks
with cross-site scripting, this was only partially successful. We found
a number of critical XSS holes that can be exploited by any third party
to steal admin cookies, change HTML code, launch CSRF attacks and so on.

1.1) login/profile.php and login/userinfo.php
Two fields in the profile settings - those for AIM and Yahoo! screen
names - are inserted into the database without any input validation.
Thus, an XSS attack can be performed that is launched on any user who
looks at the offending profile.
The same attack can be launched on an administrator viewing a profile
via the administrator back-end.

1.2) admin/admin.php (with register_globals On)
Since the variable $site_body is not properly initialized, an attacker
can launch an XSS attack against the administrator login screen. This
attack can utilize DOM to steal the administrator's credentials in
cleartext as long as they have some kind of "password safe" function
in their browser. Since script code can be executed on load, all that
an attacker has to do is get the administrator to click on a manipula-
ted link.

1.3) Referrer statistics
By launching a HTTP request with the Referer set to some script code,
e.g. <script>alert('foo')</script>, an attacker prompts this code to
be included in the administrative backend, and executed as soon as
an administrator views the referrer statistics. This comes in handy
since it is a quasi-anonymous way of obtaining the administrator's
session cookies.

1.4) Forum
Although input filtering takes place in the subject and content of
a forum postings, no such filtering is performed when constructing
the HTML <title> tag and the logo's <img alt> attribute - both con-
tain the thread subject in unfiltered HTML, and script code is execu-
ted twice per page.

1.5) imcenter.php
PHPKIT's own instant messaging system does not perform input validation
on the subject line, so any user can IM the admin and contain script
code in the subject.

1.6) Guestbook
The "Homepage" input field in the guest book is not properly sanitized
and any guest (no logged-in users, because their home page is not dis-
played by default) can enter script code. As usual, this is displayed
as soon as the guestbook is viewed.

2) SQL Injection
Same as above: Although many places inside the PHPKIT software are not
prone to SQL injection, some are. This leads to information disclosure
and possibly deletion of arbitrary data in the database.

2.1) SQL injection in profile pages (with magic_quotes_gpc Off)
Using a simple injection, any user of the PHPKIT-powered web site can
disclose the administrator's password hash. This is done via the $id
parameter in login/userinfo.php which is not properly sanitized. With
a crafted UNION statement, the attacker can obtain arbitrary data, in-
cluding but not limited to any user's password hash. A simple cast into
an int would have prevented this problem.
Example: include.php?path=login/userinfo.php&id='%20UNION%20SELECT%201,

Since sessions are contained within the database, an attacker can craft
a session ID to contain SQL commands (which have to be exactly 32 Bytes
in length, though. The vulnerable code is directly in include.php:
$session=$DB->fetch_array($DB->query("SELECT session_id,
session_userid FROM ".$db_tab['session']." WHERE
session_id='".$_REQUEST['PHPKITSID']."' LIMIT 1"));
This SELECT yields one result which is then fed to another SQL query:
$DB->query("DELETE FROM ".$db_tab['session']." WHERE session_id='"
.$session['session_id']."' LIMIT 1");
Using a carefully-crafted SQL statement, arbitrary data rows can be
deleted from the database.

3) Arbitrary local file inclusion and local code execution
Using the vulnerable path parameter that is used in nearly every subsys-
tem of PHPKIT, an attacker can include arbitrary files on the local file
system. This includes uploaded avatars (preferrably in PNG format) that
can also include PHP code. Uploading avatars is not enabled in the
default configuration, so this attack vector is unlikely to be open in
every PHPKIT installation in the wild.
Example: echo "<?php phpinfo() ?>" >> avatar.png

4) Remote code execution (with register_globals On)
Yeah, we saved the best for last. Since PHPKIT relies heavily on eval()
for its homegrown template engine, an attacker only needs a way to inject
a variable in curly braces including PHP code. With register_globals set
to On (which is still the case in a lot of installations, for compati-
bility purposes), this can be accomplished via the help function that
makes use of not properly initialized variables. Thus, any PHP code can
be executed.
There is a number of other places, including the admin backend, that are
vulnerable to this kind of code injection. These vulnerabilities are
either exploitable via complex syntax (a.k.a. curly braces) or, if magic_
quotes_gpc is turned Off, with any code that includes "".
The whole template system urgently needs to be rewritten from scratch,
without relying on unsafe variables and with careful consideration for

Proof of Concept:

Apart from the examples mentioned above, the Hardened PHP Project is not
going to release any PoC for these vulnerabilities to the public.

Disclosure Timeline:

30. September 2005 - Vendor informed.
05. October 2005 - Vendor contacted via phone. Advisory re-sent (allegedly
lost in transit).
16. October 2005 - Vendor informed of intended disclosure timeline.
07. November 2005 - public disclosure at the 2005 International PHP Confer-


Credit for the vulnerabilities listed in 4) goes to Stefan Esser of the
Hardened-PHP team.
Credit for the vulnerability described in 2.2) goes to Stefan Walk.
Credit for the vulnerability named 1.2) goes to Johann-Peter Hartmann.
All other vulnerabilities were investigated by the author.


With the aforementioned lack in vendor reaction, we currently recommend
avoiding usage of PHPKIT altogether.
If you already use the product, we recommend installing the Hardening-Patch
for PHP which can be obtained on our website, and deactivating the
"register_globals" setting in php.ini, virtual host configuration or


[1] http://www.phpkit.de/
[2] http://www.google.com/search?q=%22powered+by+PHPKIT%22


You can discuss this and other vulnerabilities in our forum at
http://forum.hardened-php.net/ - an up-to-date list of advisories can be
found at http://www.hardened-php.net/.



pub 1024D/0A864AA1 2004-04-17 Hardened-PHP Signature Key
Key fingerprint = 066F A6D0 E57E 9936 9082 7E52 4439 14CC 0A86 4AA1

Copyright 2005 Christopher Kunz / Hardened PHP Project. All rights reserved.

Version: GnuPG v1.2.5 (GNU/Linux)

Login or Register to add favorites

File Archive:

February 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    16 Files
  • 2
    Feb 2nd
    19 Files
  • 3
    Feb 3rd
    0 Files
  • 4
    Feb 4th
    0 Files
  • 5
    Feb 5th
    24 Files
  • 6
    Feb 6th
    2 Files
  • 7
    Feb 7th
    10 Files
  • 8
    Feb 8th
    25 Files
  • 9
    Feb 9th
    37 Files
  • 10
    Feb 10th
    0 Files
  • 11
    Feb 11th
    0 Files
  • 12
    Feb 12th
    17 Files
  • 13
    Feb 13th
    20 Files
  • 14
    Feb 14th
    25 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    6 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    35 Files
  • 20
    Feb 20th
    25 Files
  • 21
    Feb 21st
    18 Files
  • 22
    Feb 22nd
    15 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    10 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    37 Files
  • 27
    Feb 27th
    34 Files
  • 28
    Feb 28th
    0 Files
  • 29
    Feb 29th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By