Milkeyway Captive Portal Multiple Vulnerabilities

 Name              Multiple Vulnerabilities in Milkeyway Captive Portal
 Systems Affected  WebCalendar (any version, verified on 0.1 and 0.1.1)
 Severity          Medium Risk
 Vendor            sourceforge.net/projects/milkeyway
 Advisory          http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt
 Author            Francesco "aScii" Ongaro (ascii at katamail . com)
 Date              20060316

I. BACKGROUND

Milkeyway is a software for the management and administration of
internet access within public structures and frameworks, where
the service supplying must be submitted to a scrupulous inspection.

II. DESCRIPTION

Nearly all SQL queries are vulnerable to SQL injection vulnerabilities.
There are also some XSS vulnerabilities.

III. ANALYSIS

Since there are 28 detected different vulnerabilities only an
abstract will be included in this mail, please refer to the complete
advisory aviable here:

http://www.ush.it/team/ascii/hack-milkeway/milkeyway.txt

1) LOGIN PAGE authenticate() SQL INJECTION
2) add_userIp() SQL INJECTION
3) updateTimeStamp() SQL INJECTION
4) authuser.php USER DELETE SQL INJECTION
5) delete_user() SQL INJECTION
6) authuser.php MODIFY USER modify_user() SQL INJECTION
7) authuser.php MULTIPLE XSS
8) authuser.php EDIT SQL INJECTION
9) authuser.php RELEASE USER SQL INJECTION
10) releaseUser() SQL INJECTION
11) authuser.php ORDERING SQL INJECTION
12) authgroup.php ADD GROUP SQL INJECTION
13) add_team() SQL INJECTION
14) authgroup.php DELETE GROUP SQL INJECTION
15) delete_team() SQL INJECTION
16) authgroup.php MODIFY TEAM SQL INJECTION
17) modify_team() SQL INJECTION
18) traffic.php MULTIPLE SQL INJECTION
19) userstatistics.php ADD USER SQL INJECTION
20) userstatistics.php DELETE USER SQL INJECTION
21) userstatistics.php MODIFY USER SQL INJECTION
22) userstatistics.php EDIT USER SQL INJECTION
23) userstatistics.php MULTIPLE XSS
24) userstatistics.php $_GET['username'] SQL INJECTION 1
25) userstatistics.php $_GET['username'] SQL INJECTION 2
26) chgpwd.php SQL INJECTION 1
27) chgpwd.php SQL INJECTION 2
28) logout.php SQL INJECTION

IV. DETECTION

Milkeyway 0.1 and 0.1.1 are vulnerable.

V. WORKAROUND

Input validation will fix the vulnerability.
Magic quotes ON will protect you against most of these injections
except chapter 11 (authuser.php ORDERING SQL INJECTION) where the
input has no single or double quotes around, making magic quotes
useless.

11) SQL is injectable by $_GET['filter']

---------------- in authuser.php -----------------
$orderingFilter = $_GET['filter'];
if ($orderingFilter == '') $orderBy ="order by uname ASC" ;
else $orderBy ="order by ".$orderingFilter." ".$direction;
$result = mysql_query("SELECT * FROM authuser ".$orderBy );
--------------------------------------------------

VI. VENDOR RESPONSE

Vendor has been contacted.

VII. CVE INFORMATION

No CVE at this time.

VIII. DISCLOSURE TIMELINE

20060301 Bug discovered
20060316 Vendor contacted
20060316 Advisory released

IX. CREDIT

ascii is credited with the discovery of this vulnerability.

X. LEGAL NOTICES

Copyright (c) 2005 Francesco "aScii" Ongaro

Permission is granted for the redistribution of this alert
electronically. It may not be edited in any way without mine express
written consent. If you wish to reprint the whole or any
part of this alert in any other medium other than electronically, please
email me for permission.

Disclaimer: The information in the advisory is believed to be accurate
at the time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct, indirect,
or consequential loss or damage arising from use of, or reliance on,
this information.




first sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$act = $_GET['act'];
$idToProcess = $_GET['id'];
if ($act=='trafficDetails') {
 $date = $_GET['date']; 
 [..CUT..]
 $trafficQuery = "SELECT * FROM userData u where loginStartDate='".$date."' order by loginStartDate,loginStartTime ";
 $result =  mysql_query($trafficQuery);

--------------------------------------------------

second sql injection ($_GET['date'])

----------------- in traffic.php -----------------

$trafficByUser =  "SELECT * FROM traffic where time <= '".$upper."' and time >= '".$lower."' and date='''.$date.'''";
$result =  mysql_query($trafficByUser);

--------------------------------------------------

third sql injection ($_GET['id'])

----------------- in traffic.php -----------------

else if ($act=='groupDate'){
 [..CUT..]
 $trafficQuery = 'SELECT *,count(loginStartDate) FROM userData u where userId='.$idToProcess.' group by loginStartDate order by loginStartDate,loginStartTime';
 $result =  mysql_query($trafficQuery);

--------------------------------------------------

/milkeyway/admin/traffic.php?id=1&act=groupDate
                                ^

19) userstatistics.php ADD USER SQL INJECTION

-------------- in userstatistics.php -------------

if (isset($_POST['action'])) {
 $username = $_POST['username'];
 $password = $_POST['password'];
 $team = $_POST['team'];
 $level = $_POST['level'];
 $status = $_POST['status'];
 $action = $_POST['action'];
 $ipAddress = $_POST['ipAddress']; 
 $ipAddress = $_POST['macAddress']; 
} elseif (isset($_GET['act'])) {
 $act = $_GET['act'];

[..CUT..]

if ($action == "Add") {
 $situation = $user->add_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 2

--------------------------------------------------

20) userstatistics.php DELETE USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action=="Delete") {
 $delete = $user->delete_user($username); // VULNERABLE, SEE POINT 5

--------------------------------------------------

21) userstatistics.php MODIFY USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($action == "Modify") {
 $update = $user->modify_user($username, $password, $team, $level, $status); // VULNERABLE, SEE POINT 6

--------------------------------------------------

22) userstatistics.php EDIT USER SQL INJECTION

-------------- in userstatistics.php -------------

if ($act == "Edit") {
 $username = $_GET['username'];
 $listusers = mysql_query("SELECT * FROM authuser u LEFT OUTER JOIN userData d on u.id=d.userid where u.uname='$username'");

--------------------------------------------------

23) userstatistics.php MULTIPLE XSS

for example the variable $username is taken an other time from GET and then printed

-------------- in userstatistics.php -------------

if ($act == "statistics") {
 $username = $_GET['username'];

[..CUT..]

<? echo $username ?>

--------------------------------------------------

24) userstatistics.php $_GET['username'] SQL INJECTION 1

-------------- in userstatistics.php -------------

if ($act == "statistics") {
 $username = $_GET['username'];

[..CUT..]

$result = mysql_query("SELECT id  FROM  authuser where uname = '$username'");

--------------------------------------------------

25) userstatistics.php $_GET['username'] SQL INJECTION 2

-------------- in userstatistics.php -------------



26) chgpwd.php MULTIPLE SQL INJECTION 1

-------------------- chgpwd.php ------------------

if (isset($_POST['submit'])){
 $USERNAME = $_COOKIE['USERNAME'];
 $PASSWORD = $_COOKIE['PASSWORD'];
 $submit = $_POST['submit'];
 $oldpasswd = $_POST['oldpasswd'];
 $newpasswd = $_POST['newpasswd'];
 $confirmpasswd = $_POST['confirmpasswd'];
 [..CUT..]
 $userdata = mysql_query("SELECT * FROM authuserWHERE uname='$USERNAME' and passwd='$PASSWORD'");

--------------------------------------------------

27) chgpwd.php MULTIPLE SQL INJECTION 2

-------------------- chgpwd.php ------------------

// If everything is ok, use auth class to modify the record
$update = $user->modify_user($USERNAME, $newpasswd, $check["team"], $check["level"], $check["status"]); // VULNERABLE, SEE CHAPTER 6

--------------------------------------------------

28) logout.php SQL INJECTION

-------------------- chgpwd.php ------------------

$username=$_GET['username'];
[..CUT..]
$utils->updateTimeStamp($username,"loginEndDate","CURRENT_DATE()");
$utils->updateTimeStamp($username,"loginEndTime","CURRENT_TIME()");

--------------------------------------------------

29) CONCLUSION

no conclusion. fuck em.
every function is bogous.

i hope you have magic_quotes on

Francesco 'ascii' Ongaro