74873 2002-09-09 17:55 /94 rader/ ppp-design <security@ppp-design.de> Importerad: 2002-09-09 17:55 av Brevbäraren Extern mottagare: bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <1416> Ärende: phpGB: cross site scripting bug ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following cross-site-scripting-bug in phpGB: Details - ------- Product: phpGB Affected Version: 1.10 and maybe all versions before Immune Version: 1.20 OS affected: all OS with php Vendor-URL: http://www.walzl.net Vendor-Status: informed, new version avaiable Security-Risk: high Remote-Exploit: Yes Introduction - ------------ phpGB ist a php/mysql based guestbook. Unfortunately no input is been filtered for malicious code segments. That leads to the possibility of a cross-site-scripting attack. More details - ------------ A possible blackhat is able to insert eg. javascript code into the guestbook entry. When an admin tries to delete this entry the script will be executed. So the attacke is able to eg. get the session id and enter the admin area without being authenticated. Proof-of-concept - ---------------- Enter the following guestbookentry: "delete me <script>alert(document.cookie)</script>" When an admin tries to delete this entry, a popup showing his session id will come up. Of course it is quite easy to submit this session id to blackhat's server instead of showing this popup. Temporary-fix - ------------- Filter all inputs for unwanted code segments like html or javascript code. Fix - --- phpGB 1.2 filters all inputs. Security-Risk - ------------- Because after a successfull attack an attacker is able to do anything an admin can do, the whole guestbook shall be deemed to be compromised. That is why we are rating the risk to high. Vendor status - ------------- The author had fixed this bug allready, when we informed him. Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online: http://www.ppp-design.de/advisories.php - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9fEyVDXh7YLO1RRoRAnEgAJ4kwbAytd4g8i38ngNTQ0DE19XULACg5DfR j/Mes4I6IxqkiDrf2CYpEQY= =eTCl -----END PGP SIGNATURE----- (74873) /ppp-design <security@ppp-design.de>/------- 74888 2002-09-09 19:58 /108 rader/ ppp-design <security@ppp-design.de> Importerad: 2002-09-09 19:58 av Brevbäraren Extern mottagare: bugtraq <bugtraq@securityfocus.com> Mottagare: Bugtraq (import) <1426> Ärende: phpGB: DoS and executing_arbitrary_commands ------------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ppp-design found the following design error in phpGB: Details - ------- Product: phpGB Affected Version: 1.20 and maybe all versions before Immune Version: 1.30 OS affected: all OS with php Vendor-URL: http://www.walzl.net Vendor-Status: informed, new version avaiable Security-Risk: high - very high Remote-Exploit: Yes Introduction - ------------ phpGB ist a php/mysql based guestbook. Admin can change all settings within a php interface. Unfortunately the script lacks correct authentification, so everybody is able to override a config file, which leads to a DoS or to running arbitrary php commands on the server. More details - ------------ The problem is in /admins/savesettings.php. The only check for authentification is made is a check for the page being requested via POST. That is why it is very easy to fake authentification and to write anything to /include/config.php. Because this is a major file of the software being included nearly on every page, a syntax error leads to a DoS of the whole guestbook. One more security aspect is the ability to insert arbitrary commands in the config file. When avoiding syntax errors, a possible blackhat is able to execute any php command on the server. Proof-of-concept - ---------------- After running the following proof of concept, you are presented with phpinfo() on every page of the guestbook. Of course you can insert any php code instead of phpinfo(); into /include/config.php. (\n is newline) telnet example.com 80\n POST /phpGB/admin/savesettings.php HTTP/1.0\n Content-Type: application/x-www-form-urlencoded\n Content-Length: 123\n dbpassword=%22%3Bphpinfo%28%29%3B%24a%3D%22&toolbar=1 &messenger=1&smileys=1&title=1&db_session_handler=0 &all_in_one=0&test=\n \n Temporary-fix - ------------- Use .htaccess to restrict access to admin pages. Fix - --- Use at least phpGB 1.30. Security-Risk - ------------- Because a attacker is able to execute any php command, he is able to read all files including .htaccess or .htpasswd files or any password protected pages. Depending on system security he might be able to run any shell command on the server. That is why we are rating this security issue to high - very high. Vendor status - ------------- After we have informed the author he needed about 12 hours for a new version. Disclaimer - ---------- All information that can be found in this advisory is believed to be true, but maybe it isn't. ppp-design can not be held responsible for the use or missuse of this information. Redistribution of this text is only permitted if the text has not been altered and the original author ppp-design (http://www.ppp-design.de) is mentioned. This advisory can be found online: http://www.ppp-design.de/advisories.php - -- ppp-design http://www.ppp-design.de Public-Key: http://www.ppp-design.de/pgp/ppp-design.asc Fingerprint: 5B02 0AD7 A176 3A4F CE22 745D 0D78 7B60 B3B5 451A -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: Weitere Infos: siehe http://www.gnupg.org iD8DBQE9fE2GDXh7YLO1RRoRAlWWAKC04HZKIMU/NLI+enSLY4cnUkbTLACg4Cwd 18owgIsobHKb8pHxPfW8TqY= =ZS2f -----END PGP SIGNATURE----- (74888) /ppp-design <security@ppp-design.de>/-------