what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

VWar Cross Site Scripting / SQL Injection / Broken Access Controls

VWar Cross Site Scripting / SQL Injection / Broken Access Controls
Posted Aug 24, 2010
Authored by Darren McDonald

VWar suffers from cross site scripting, remote SQL injection, broken access controls and weak password generation vulnerabilities.

tags | exploit, remote, vulnerability, xss, sql injection
SHA-256 | 340cfcbbdfb9644effebb0512c1fe8ff862d9442b4ea2ba49f74bc3aab9d6bc7

VWar Cross Site Scripting / SQL Injection / Broken Access Controls

Change Mirror Download
Back in April 2008 I found a bunch of vulnerabilities in PHP clan management
system, however the project had just changed hands. Since then the new
project leader has been assuring me that new secure release which fixed all
the found issues was just around the corner. Over two years later I remember
I'm still hanging on to these issues, so I think it is time to release them,
patch or not. The SQL injection issue was released on
http://www.securityfocus.com/bid/29001 back in May 2008, as project reverted
to an older version which was not vulnerable to this issue. Here is the
orginial list of findings.

Best,

Renski

A copy of this document can be found at dmcdonald.net/vwar.txt

1. SQL Injection

1.1 Summary

An SQL Injection vulnerability has been discovered in the article rating
system in
http://mydomain.com/vwar/article.php This issue could be used by an
attacker to
deface articles, deny service to other users (DoS), and other SQL
Injection
related issues.

1.2 Technical Details

The bug itself is in vwar/article.php, line 44

39 if (is_numeric($GPC["rate"])){
40 if ($GPC["ratearticleselect"] && $GPC["ratearticleselect"]
<= 6){
41
42 $vwardb->query("UPDATE vwar".$n."_article
43 SET
44 articleratingpoints =
articleratingpoints+".$GPC["ratearticleselect"].",
45 articlerated = articlerated+1
46 WHERE articleid = '".$GPC["rate"]."'");
47
48 $redirecturl =
"article.php?articleid=".$GPC["rate"];
49 include ($vwar_root . "includes/get_header.php");
50
eval("\$vwartpl->output(\"".$vwartpl->get("message_confirmation")."\");");
51 include ($vwar_root . "includes/get_footer.php");
52 exit();
53 } else {
54 ...

A proof of concept can be seen in the following post request which
results in
the main body of the article being replaced with the text 'NGS TEST'

POST /vwar/article.php?rate=1 HTTP/1.1
Host: mydomain.com
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-GB; rv:1.8.1.13)
Gecko/20080311 Firefox/2.0.0.13
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-gb,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Proxy-Connection: keep-alive
Referer: http://mydomain.com/vwar/article.php?articleid=1
Content-Type: application/x-www-form-urlencoded
Content-Length: 64

ratearticleselect=5, article = char(78,71,83,32,84,69,83,84)

It is also possible to cause vwar to run out of memory when attempting
to
display the article by setting ratearticleselect to a high enough value,
for example;

ratearticleselect=5%2b999999

when the article in question is requested by a user, vwar will run out
of memory
attempting to generate html containing vast numbers of IMG tags to
display the
star rating.

1.3 Workaround

There is no known workaround for this issue.

2. Stored Cross Site Scripting (XSS)

2.1 Summary

Five entry points for stored XSS have been found in the following
locations

http://mydomain.com/vwar/challenge.php
http://mydomain.com/vwar/joinus.php
http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1
http://mydomain.com/vwar/profile.php

However, there are likely to be more as vwar uses a common set of text
parsers
to protect again XSS and SQL code injection.

This issue can be used to attack other users of the vwar system,
including the
administrators, as data inputed on these forms is often sent for
administrator approval.
The results can include session highjacking, which would allow an
attacker to take
gain admin access.

2.2 Technical Details

Issue 1: http://mydomain.com/vwar/challenge.php - Additional Information
input field
Issue 2: http://mydomain.com/vwar/joinus.php - Additional Information
input field
Issue 3:
http://mydomain.com/vwar/admin/admin.php?action=finishwar&warid=1 - War
Report input field
Issue 4: http://mydomain.com/vwar/profile.php - Nick input field
Issue 5: http://mydomain.com/vwar/joinus.php - Contact information input
field

The Vwar system filters out <script> tag to prevent XSS, but allows
image (IMG) tags,
where javascript can be executed on the 'onload', 'onerror', and similar
events. If so, as
these forms are often sent to users there is the potential for an
attacker to high-jack the
session of another user, including a user with administrator access.

A proof of concept which work with all five issue can be seen by
entering the follow html in
the vulnerable fields

<IMG src='' onerror=alert(document.cookie)>

2.3 Workaround
Risk from issues 1, 2, 3, and 5 can be mitigated by setting turning the
following
settings to 'Off' in the adminstrators settings page.

HTML Code (Default On)
Enable Challenge Requests (Default On)
Enable Join Requests (Default On)

There is no known workaround for issue 4.

3. Broken Access Controls

3.1 Summary

There is lack of access controls in http://mydomain.com/vwar/popup.phpin the
print view system which allows an attacker to view articles normally
restricted
to users of the system.

3.2 Technical Details

It is possible to access member only news posts by using the printnews
action
though the newsid field in popup.php. For example, assuming article 3 is
hidden
from public view this following url will allow access to a user who has
not
logged in.

http://mydomain.com/vwar/popup.php?action=printnews&newsid=3

where as http://mydomain.com/vwar/news.php?newsid=3 and
http://mydomain.com/vwar/news.php correctly do not return the news
article
unless requested by a valid user.

3.3 Workaround

There is no known workaround for this issue.

4. Weak Password Generation

4.1 Summary

VWar has a fault with it's random password generation function which is
used
during account creation and the forgotten password functionality.
Passwords
generated this way are highly likely be one of a set of 60 passwords.

Vwar has no account lock out system in place to stop an attacker
attempting
to brute force a password of a valid user, meaning that an attacker with
an
automated tool can gain access to an account with a randomly generated
password in only a few seconds.

4.2 Technical Details

The bug is in vwar/includes/functions_common.php on line 724

716 function createRandomPassword ($passlen=15,$chars="")
717 {
718 $chars = trim($chars);
719 if(empty($chars)) $chars =
"aAb0Bc\$CdD1eEfF2gGh%3HiIj§J4kKl5Lm6MnNo7&OpPqQrR6sStTuUvV9wWxXyYzZ§$%&";
720
721 $charlen = strlen($chars);
722 for ($i = 0; $i < $passlen; $i++)
723 {
724 mt_srand(date("s", time() + $i * 4567));
725 $password .= substr($chars,mt_rand(1,$charlen),1);
726 }
727
728 return $password;
729 }

The mt_srand function is seeded with the number of seconds of the
current
system time, a limited set of 60 ('00' to '59'). As the seed
predetermines the
password which will be generated by this function, it is high likely
that the
password will be one of a set of only 60.

It is possible (although unlikely) that createRandomPassword could run
during the transition of one second to the next, meaning there is a
total of 420
possible password which could be generated.

With the designed user enumeration in
http://mydomain.com/vwar/admin/index.php?login=1
and other locations combined with the forgotten password functionality
makes it trival
to gain access to any account

4.3 Workaround

Users with default or reset passwords should be encouraged to reset them
manually to new secure passwords. However

5. Static Session Cookies

5.1 Summary

VWar's session cookies are static, meaning that a user will always be
given the
same sesion cookie. VWar will also allow authentication based solely on
this
cookie. If an attacker obtainers a users session cookie (trival using
finding 2),
session time outs and the logout function will not disrupt an attacker's
activities.

5.2 Technical Details

The session cookie is created by running the php function md5 on the
users
md5 hashed password, causing the session id to be static.

5.3 Workaround

There is no known workaround for this issue.
Login or Register to add favorites

File Archive:

October 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Oct 1st
    10 Files
  • 2
    Oct 2nd
    0 Files
  • 3
    Oct 3rd
    0 Files
  • 4
    Oct 4th
    0 Files
  • 5
    Oct 5th
    0 Files
  • 6
    Oct 6th
    0 Files
  • 7
    Oct 7th
    0 Files
  • 8
    Oct 8th
    0 Files
  • 9
    Oct 9th
    0 Files
  • 10
    Oct 10th
    0 Files
  • 11
    Oct 11th
    0 Files
  • 12
    Oct 12th
    0 Files
  • 13
    Oct 13th
    0 Files
  • 14
    Oct 14th
    0 Files
  • 15
    Oct 15th
    0 Files
  • 16
    Oct 16th
    0 Files
  • 17
    Oct 17th
    0 Files
  • 18
    Oct 18th
    0 Files
  • 19
    Oct 19th
    0 Files
  • 20
    Oct 20th
    0 Files
  • 21
    Oct 21st
    0 Files
  • 22
    Oct 22nd
    0 Files
  • 23
    Oct 23rd
    0 Files
  • 24
    Oct 24th
    0 Files
  • 25
    Oct 25th
    0 Files
  • 26
    Oct 26th
    0 Files
  • 27
    Oct 27th
    0 Files
  • 28
    Oct 28th
    0 Files
  • 29
    Oct 29th
    0 Files
  • 30
    Oct 30th
    0 Files
  • 31
    Oct 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close