what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

php-stanford.txt

php-stanford.txt
Posted Dec 14, 2005
Authored by Stanford Researchers

A group of Stanford researchers have discovered 99 vulnerabilities when auditing e107 version 0.7, myBloggie version 2.1.3beta, utopia NewPro version 1.1.4, DCP Portal version 6.1.1, and PHP Webthings version 1.4. They have not released exploitation information, however.

tags | advisory, php, vulnerability
SHA-256 | 9f4befbadd47367ea11c650c514480272ba50d6d8d9f8494e5e8c9df32678f71
Download | Favorite | View

php-stanford.txt

Change Mirror Download
Hi, we are a group of Stanford researchers and we have recently
developed an automated tool for detecting injection vulnerabilities in
PHP. We ran our tool on the following list of software and found 99
potential security vulnerabilites (inspected bug reports attached
below):

   e107 -- v0.7
   myBloggie -- v2.1.3beta
   utopia NewPro -- v1.1.4
   DCP Portal -- v6.1.1
   PHP Webthings -- v1.4 patched

The tool detects unsanitized user input that subsequently flow into
SQL queries. With slight modifications, it can also find potential XSS
vulnerabilities by inspecting strings echo'ed back as HTML output.

Most of which seem remotely exploitable, and we have notified vendors
of confirmed exploits. We decided not to publish exploits for the
interest of web sites that have deployed such software.

More detailed information, including proof of concept exploits (vendor
notified, and since patched), about the tool can be obtained from the
links below.

We'll appreciate any comments and feedbacks regarding the tool and the
results.

Thanks,
Yichen Xie

For more information:

http://glide.stanford.edu/yichen/research/sec.ps
http://glide.stanford.edu/yichen/research/sec.pdf

==========
PHP-fusion
==========

==============
Utopia NewsPro 
==============

8 potentially exploitable vulnerabilities

ERROR: ./editnews.php:@main: _POST#g["newsid"]
----------------------------------------------
This error occurs at lines 24-25 in editnews.php. User input
_POST["newsid"] may directly flow into the SQL query below, resulting
in a potentially exploitable SQL injection vulnerability.

ERROR: ./faq.php:@main: _GET#g["catid"]
---------------------------------------
This error occurs at lines 61-62 in faq.php. We believe user input
_GET["catid"] is improperly checked in the following line: the regular
expression seem to only check the existence of a number. It is
probably missing "^" and "$" that ensures "catid" _is_ a number.

ERROR: ./faq.php:@main: _GET#g["question"]
------------------------------------------
Lines 107-108 in faq.php. Similar as above.

ERROR: ./postnews.php:@main: _POST#g["poster"]
----------------------------------------------
Line 28: $newsposter is not validated before being passed into the
query string at line 42.

ERROR: ./templates.php:@main: _POST#g["tempid"]
-----------------------------------------------
Line 33: $tempid is not validated before being passed into the query
string at line 40.

ERROR: ./users.php:@main: _GET#g["userid"]
------------------------------------------
Line 256: $userid is not properly validated: the regular expression
at line 262 checks the existence of a number in $userid. Missing "^"
and "$"?

ERROR: ./users.php:@main: _POST#g["groupid"]
--------------------------------------------
Line 31: $groupid is not validated before being passed into the query
string at line 72.

ERROR: ./users.php:@main: _POST#g["userid"]
-------------------------------------------
Line 29: $userid is not validated before being passed into the query
string at line 54.

======
 e107
======

ERROR: ./signup.php:@main: _POST#g["email"]
-------------------------------------------
Line 256: malformed $_POST['email'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["hideemail"]
-----------------------------------------------
Line 336: malformed $_POST['hideemail'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["image"]
-------------------------------------------
Line 336: malformed $_POST['image'] may cause SQL injection.

ERROR: ./signup.php:@main: _POST#g["realname"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["signature"]
-----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["timezone"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./signup.php:@main: _POST#g["xupexist"]
----------------------------------------------
Line 336: Similar as above.

ERROR: ./subcontent.php:@main: _POST#g["content_comment"]
ERROR: ./subcontent.php:@main: _POST#g["content_rating"]
ERROR: ./subcontent.php:@main: _POST#g["content_summary"]
---------------------------------------------------------
Line 119: Similar as above

ERROR: ./upload.php:@main: _POST#g["download_category"]
ERROR: ./upload.php:@main: _POST#g["file_demo"]
-------------------------------------------------------
Line 59

ERROR: ./usersettings.php:@main: _POST#g["email"]
-------------------------------------------------
Line 201: validity check of _POST["email"] does not prevent SQL
injection into query string at Line 205.

ERROR: ./usersettings.php:@main: _POST#g["hideemail"]
-----------------------------------------------------
Use of non-validated input _POST["hideemail"] at line 276.

ERROR: ./usersettings.php:@main: _POST#g["user_timezone"]
---------------------------------------------------------
Same as above.

ERROR: ./usersettings.php:@main: _POST#g["user_xup"]
----------------------------------------------------
Same as above.

===========
 myBloggie
===========

16 potentially expoloitable vulnerabilities

ERROR: ./login.php:@main: _POST#g["username"]
---------------------------------------------
Def: Line 41; Use: line 65 (fixed by the recent patch)

ERROR: ./add.php:@main: _POST#g["category"]
-------------------------------------------
$cat_id defined at line 203 may cause SQL injection in query string at
line 268.

ERROR: ./addcat.php:@main: _POST#g["cat_desc"]
----------------------------------------------
$cat_desc defined at line 73, and passed into SQL query at line 79.

ERROR: ./adduser.php:@main: _POST#g["level"]
--------------------------------------------
$level defined at line 48, and passed into SQL query at line 74.

ERROR: ./adduser.php:@main: _POST#g["user"]
-------------------------------------------
$user defined at line 46, and used in query string at line 50.

ERROR: ./del.php:@main: _GET#g["post_id"]
-----------------------------------------
Def: line 35; Use: line 44

ERROR: ./delcat.php:@main: _GET#g["cat_id"]
-------------------------------------------
Def: line 44; Use: line 52

ERROR: ./delcomment.php:@main: HTTP_GET_VARS#g["comment_id"]
------------------------------------------------------------
Line 35: inappropriate validation with "intval"

ERROR: ./deluser.php:@main: _GET#g["id"]
----------------------------------------
Def: line 45; Use: line 53

ERROR: ./edit.php:@main: _GET#g["post_id"]
------------------------------------------
Def: line 31; Use: line 43, 45

ERROR: ./edit.php:@main: _POST#g["category"]
--------------------------------------------
Def: line 195; Use: line 228

ERROR: ./editcat.php:@main: _GET#g["cat_id"]
--------------------------------------------
Def: line 64; Use: line 66

ERROR: ./editcat.php:@main: _POST#g["cat_desc"]
-----------------------------------------------
Def: line 83; Use: line 84

ERROR: ./edituser.php:@main: _GET#g["id"]
-----------------------------------------
Def: line 47; Use: line 50

ERROR: ./edituser.php:@main: _POST#g["level"]
---------------------------------------------
Def: line 94; Use: line 97, 103

ERROR: ./edituser.php:@main: _POST#g["user"]
--------------------------------------------
Def: line 71; Use: line 97, 103

===============
 PHP Webthings
===============

20 potentially exploitable SQL injection vulnerabilities

ERROR: ./download.php:@main: _GET#g["ref"]
------------------------------------------
bug in function draw_download_categories (used in download.php),
defined in modules/downloads/functions.php. $ref1 holds user input
$_GET["ref"] (line 33) and used in query on line 41.

ERROR: ./forum.php:@main: _GET#g["direction"]
---------------------------------------------
bug occurs in function draw_fs_small (used in forum.php, line 231)
defined in modules/downloads/functions.php. $direction holds
user input $_GET['direction'] and is subsequently used in construction
of SQL queries.

ERROR: ./forum.php:@main: _POST#g["direction"]
----------------------------------------------
same as above.

ERROR: ./forum.php:@main: _GET#g["forum"]
-----------------------------------------
Line 22 in forum.php.

ERROR: ./forum.php:@main: _GET#g["msg"]
---------------------------------------
forum.php: Line 58.

ERROR: ./forum.php:@main: _GET#g["sforum"]
------------------------------------------
bug occurs in function draw_fs_form (used in forum.php, line 186)
defined in modules/downloads/functions.php. $forumcod is defined using
$_GET["sforum"], and subsequently used in construction of SQL queries.

ERROR: ./forum.php:@main: _POST#g["sforum"]
-------------------------------------------
same as above

ERROR: ./forum.php:@main: _POST#g["reason"]
-------------------------------------------
modules/forum/movetopic.php: defined on line 74 and 80, used on line
90

ERROR: ./forum.php:@main: _REQUEST#g["forum"]
---------------------------------------------
defined: forum.php: line 124. 
used: modules/forum/split.php: line 2

ERROR: ./forum.php:@main: _REQUEST#g["msg"]
-------------------------------------------
defined: forum.php: line 122.
used: modules/forum/split.php: line 2

ERROR: ./forum.php:@main: _REQUEST#g["subname"]
-----------------------------------------------
defined: line 135, used line 139

ERROR: ./forum.php:@main: _REQUEST#g["toforum"]
-----------------------------------------------
defined: forum.php: line 110
used: modules/forum/movetopic.php: line 62

ERROR: ./forum_edit.php:@main: _GET#g["msg"]
--------------------------------------------
line 25

ERROR: ./forum_edit.php:@main: _GET#g["forum"]
----------------------------------------------
line 25

ERROR: ./forum_write.php:@main: _GET#g["forum"]
-----------------------------------------------
invokes forum_edit.php, same as above.

ERROR: ./forum_write.php:@main: _GET#g["msg"]
---------------------------------------------
invokes forum_edit.php, same as above.

ERROR: ./forum_write.php:@main: _POST#g["msg"]
----------------------------------------------
modules/forum/write.php: def: line 85, use line 88

ERROR: ./guestbook.php:@main: _POST#g["tekst"]
----------------------------------------------
modules/guestbook/functions.php: def:line 202, use: line 203

ERROR: ./index.php:@main: _REQUEST#g["menuoption"]
--------------------------------------------------
def: index.php: line 7
use: core/theme.php: line 148

ERROR: ./myaccount.php:@main: _POST#g["sel_avatar"]
---------------------------------------------------
def: line 186
use: line 195

============
 DCP Portal
============
ERROR: ./advertiser.php:@main: _POST#g["password"]
--------------------------------------------------
Line 50

ERROR: ./advertiser.php:@main: _POST#g["username"]
--------------------------------------------------
Line 50

ERROR: ./annoucement.php:@main: _GET#g["aid"]
---------------------------------------------
Line 13

ERROR: ./calendar.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Def: line 23. Use: line 65-66

ERROR: ./calendar.php:@main: _POST#g["year"]
--------------------------------------------
Def: line 38. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["agid"]
-----------------------------------------------
Line 215-216

ERROR: ./calendar.php:@main: _REQUEST#g["day"]
----------------------------------------------
Def: line 38. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["day_s"]
------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["hour"]
-----------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["minute"]
-------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["month"]
------------------------------------------------
Def: line 41. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["month_s"]
--------------------------------------------------
Line 209-210

ERROR: ./calendar.php:@main: _REQUEST#g["year"]
-----------------------------------------------
Def: line 41. Use: line 65-66

ERROR: ./calendar.php:@main: _REQUEST#g["year_s"]
-------------------------------------------------
Line 209-210

ERROR: ./contents.php:@main: _GET#g["cid"]
------------------------------------------
Line 15

ERROR: ./forums.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 93, UserValid uses _COOKIE#g["dcp5_member_id"] in query.

ERROR: ./forums.php:@main: _GET#g["bid"]
----------------------------------------
Line 87

ERROR: ./forums.php:@main: _GET#g["mid"]
----------------------------------------
Line 161

ERROR: ./forums.php:@main: _POST#g["mid"]
-----------------------------------------
Line 221

ERROR: ./go.php:@main: _GET#g["bid"]
------------------------------------
Line 9

ERROR: ./golink.php:@main: _GET#g["lid"]
----------------------------------------
Line 9

ERROR: ./inbox.php:@main: _COOKIE#g["dcp5_member_id"]
-----------------------------------------------------
Line 9, UserValid uses _COOKIE#g["dcp5_member_id"] in query.

ERROR: ./inbox.php:@main: _GET#g["mid"]
---------------------------------------
Line 239

ERROR: ./index.php:@main: _GET#g["catid"]
-----------------------------------------
Line 234

ERROR: ./index.php:@main: _GET#g["cid"]
---------------------------------------
Line 60

ERROR: ./index.php:@main: _GET#g["dcat"]
----------------------------------------
Line 306

ERROR: ./index.php:@main: _GET#g["dl"]
--------------------------------------
Line 370

ERROR: ./index.php:@main: _GET#g["doc"]
---------------------------------------
Line 328

ERROR: ./index.php:@main: _GET#g["lcat"]
----------------------------------------
Line 252

ERROR: ./index.php:@main: _GET#g["uid"]
---------------------------------------
Line 538

ERROR: ./informer.php:@main: _COOKIE#g["dcp5_member_id"]
--------------------------------------------------------
Line 9, UserValid

ERROR: ./lostpassword.php:@main: _POST#g["email"]
-------------------------------------------------
Line 91

ERROR: ./mycontents.php:@main: _COOKIE#g["dcp5_member_id"]
----------------------------------------------------------
Line 9, UserValid

ERROR: ./news.php:@main: _GET#g["nid"]
--------------------------------------
Line 13

ERROR: ./rate.php:@main: _GET#g["cid"]
--------------------------------------
Line 9

ERROR: ./rate.php:@main: _GET#g["type"]
---------------------------------------
Line 17

ERROR: ./rate.php:@main: _POST#g["rate"]
----------------------------------------
Line 17

ERROR: ./search.php:@main: _POST#g["q"]
---------------------------------------
Line 20, 28, 36...

ERROR: ./update.php:@main: _COOKIE#g["dcp5_member_id"]
------------------------------------------------------
Line 9
Login or Register to add favorites

File Archive:

April 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Apr 1st
    10 Files
  • 2
    Apr 2nd
    26 Files
  • 3
    Apr 3rd
    40 Files
  • 4
    Apr 4th
    6 Files
  • 5
    Apr 5th
    26 Files
  • 6
    Apr 6th
    0 Files
  • 7
    Apr 7th
    0 Files
  • 8
    Apr 8th
    22 Files
  • 9
    Apr 9th
    14 Files
  • 10
    Apr 10th
    10 Files
  • 11
    Apr 11th
    13 Files
  • 12
    Apr 12th
    14 Files
  • 13
    Apr 13th
    0 Files
  • 14
    Apr 14th
    0 Files
  • 15
    Apr 15th
    30 Files
  • 16
    Apr 16th
    10 Files
  • 17
    Apr 17th
    22 Files
  • 18
    Apr 18th
    45 Files
  • 19
    Apr 19th
    8 Files
  • 20
    Apr 20th
    0 Files
  • 21
    Apr 21st
    0 Files
  • 22
    Apr 22nd
    11 Files
  • 23
    Apr 23rd
    68 Files
  • 24
    Apr 24th
    0 Files
  • 25
    Apr 25th
    0 Files
  • 26
    Apr 26th
    0 Files
  • 27
    Apr 27th
    0 Files
  • 28
    Apr 28th
    0 Files
  • 29
    Apr 29th
    0 Files
  • 30
    Apr 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Site Links
News by Month
News Tags
Files by Month
File Tags
File Directory
About Us
History & Purpose
Contact Information
Terms of Service
Privacy Statement
Copyright Information
Services
Security Services
Hosting By
Rokasec
close