########################################################## # GulfTech Security Research August, 31st 2004 ########################################################## # Vendor : phpWebSite Development Team # URL : http://phpwebsite.appstate.edu/ # Version : phpWebsite 0.9.3-4 And Earlier # Risk : Multiple Vulnerabilities ########################################################## Description: phpWebSite provides a complete web site content management solution. All client output is valid XHTML 1.0 and meets the W3C's Web Accessibility Initiative requirements. Currently features: announcement posting, form generator, user management with granulated administration, calendar, poll, faq, photoalbum, bulletin board, rss feeds, user customizable theme support and more. It is one of the most popular content managment systems in the world. SQL Injection: The calendar module of phpWebsite allows users to submit their own events to the calendar. Upon approval by an admin (or in some cases the admin doesn't need to approve it, but this is not a default setting) certain data that was earlier supplied by the user earlier is then entered into the database. It could be possible for an attacker to insert malicious statements via the "cal_template" field and then influence the UPDATE query when it is executed. By default I believe the calendar module allows anyone to submit a new event for approval. Cross Site Scripting: The phpWebsite developers have done a good job of filtering get requests that are passed to the application. However I have found one place for a Cross Site Scripting attack to take place, and that is the comments module. /index.php?module=comments&CM_op=replyToComment&CM_pid=1[XSS] The above url will render the specified code in the browsers of both guest users, and logged in users. Script Injection: When sending users private messages via the notes module it is possible to input script or html etc into both the subject and the message fields of the note. When a user visits their notes module, or reads the note, the code will then be executed. This can be very dangerous and used to force command execution. Forced Command Execution: phpWebsite's only major flaw I have seen is the VERY unsafe use of the get method (RFC 2616 9.1.1) The lack of an auth check before executing key functions is not good either. The code and the overall app is very nice, but this one issue allows for a user to gain admin privileges and much more. Let's say a malicious user would like to become admin of a phpWebsite, or perform some admin functions such as delete a user they are not very fond of such as the site admin :P This is all very much possible, easy to do, and not very noisy at all. What we need to do is find a way to force an admin, or user to perform a get request to the desired command so that is executed by them. Well, with the XSS and Script Injection vulns I mentioned earlier this becomes a VERY easy task. An attacker could use the previously mentioned vulns and send the malicious request in an image, iframe or any other appropriate tags and have them executed via the private message injection vuln, or the comments module xss issue. The stuff I just mentioned all makes get requests, but it is easy to force a user to make post requests too. This can be done via a bit of javascript that automatically submits the form, and the private message feature which allows javascript to be sent. Now here are some examples of the vulns. /index.php?module=users&user_op=user_deify&deification=bestow&user_id=4 /index.php?module=users&user_op=turnOnAdmin&user_id=4 /index.php?module=users&user_op=deleteUser&confirm=yes&user_id=2 This sent to an admin in a pm will set the attacker to the deity level, make the attacker an admin, and then delete the admin from their own website. This example has the attacker as the user id number 4 and the admin as number 2. of course these will have to be changed in most cases to work. Now just send the following data in [img] tags, or a html img tag to the desired administrator and then log in to your new super user account. This issue affects almost all if not all of the components on the phpWebsite so I am not going to include an example of every little place that this issue is present, but I will include examples of the more popular components such as the phpWebsite message board phpwsbb. This example will delete a desired forum, and then ban a specified user's (an admin maybe?) name and ip address. /index.php?module=phpwsbb&PHPWSBB_MAN_OP=banusername&PHPWS_MAN_ITEMS[]=jeiar /index.php?module=phpwsbb&PHPWSBB_MAN_OP=banip&PHPWS_MAN_ITEMS[]=127.0.0.1 /index.php?module=phpwsbb&PHPWSBB_MAN_OP=deleteforum&PHPWS_MAN_ITEMS[]=1&opt ion_yes=yes Just put those url's inside of an [img] tag or an html image tag and the commands will likely be executed successfully. This also works for the deletion of posts, and just about anything else too. Solution: I would like to thank Matthew McNaney and the rest of the dev team for a prompt response and professional attitude. These guys care very much about the security of their product, and the well being of the users. http://www.phpwebsite.appstate.edu/index.php?module=announce&ANN_user_op=vie w&ANN_id=822 The updated security patches can be downloaded at the above link. The RFC 2616 security issues will be addressed in the next release of phpWebsite due out at the end of the year. The next release will address these issues by requiring a valid authentication key for actions taken. It should be a great improvement and I believe it will help make phpWebsite one of the most secure open source content management systems around. Related Info: The original advisory can be found at the following location http://www.gulftech.org/?node=research&article_id=00048-08312004 Credits: James Bercegay of the GulfTech Security Research Team